Computer Viruses and 
Other Malicious Software 

A THREAT TO THE INTERNET 
ECONOMY 



Computer Viruses 
nd Other Malicious 
Software 



THREAT TO THE INTERNET ECONOMY 



GANISATION FOR ECONOMIC CO-OPERATION 
AND DEVELOPMENT 




ly, Japan, Korea, Luxembourg, Mexico, the Netherlands, New Zealand, 
land, Portugal, the Slovak Republic, Spain, Sweden, Switzerland, Turkey, 
Kingdom and the United States. The Commission of the European 



'ublishing disseminates widely the results of the Organisation's statistics 
nd research on economic, social and environmental issues, as well as the 
s, guidelines and standards agreed by its members. 



This work is published on the responsibility :<j ill-:- Set; alary- General of 
'. OECD. The opmio'ir; ei/pirnsed and arguments employed herein do not 
:essarily reflect the official views of the Organisation or 0/ the governments 
;;s member countries. 



OiCD ^ublicsiions may b; iV.md or. '.ii;o :,<:. \i:v:w.co:d.-:-q Luib[[:hi:M;/coniif£^rh-.. 



FOREWORD - 3 



Foreword 



ressed primarily to policy makers, this hook was developed over the 
>f 2007, by the OECD Working Party on Information Security and 
(WPISP) in partnership with the Asia Pacific Economic Co- 
n Telecommunication and Information Working Group (APEC 
ecurity and Prosperity Steering Group (SPSG). The report was 
tied by the Committee for Information, Computer and 
nications Policy (ICCP) on fi March 2008. 

rafting the book. Audrey Plonk and Anne Carblanc from the OECD 
iat have been assisted by Michel van Eeten of Delft University of 
ogy and Johannes Bauer of Michigan State University, consultants 
)ECD, who have written Part II, and by a group of experts who 
1 feedback on Parts I and III. This group of experts included Mr. 

Ingram and Ms. Kathryn Kerr (AusCERT); Mr. Colin Whittaker 
i, UK Trade Association); Mr. Gilles Andre and Mr. Fabian Pouget 
*i France); Mr. Kevin Houle and Mr. Jeffrey J. Carpenter 
CC); Mr. Erka Koivunen and Mr. Kauto Huopio (CERT-FI 
i; Dr. Pci-Wcn Liu (Chinese Taipei): Mr. HyunChcol Jcong and Mr. 

Cho (KrCERT/CC Korea); Mr. David Pollington, Mr.Jean- 
ihe Le Toquin and Mr. Uwe Manuel Rasmussen (Microsoft); Mr. 
ihe Birkeiand (NORCERT Norway); Mr. Bill Woodcock (Packet 
; House); and Mr. Jeremy Ward (Symantec Corporation). The 
iat also benefited from the contribution of OECD and APEC 
s, including Mr. Keith Besgrove and Ms. Sabeena Oberoi 
ia); Mr. Shamsul Jafni Shafie (Malaysia); Mr. Jean-Jacques Sahel 

Geoff Smith (United Kingdom); and Ms. Jordana Siegel and Mr. 
Goldlarb (United States). The Dutch government made a special 
tion to enable work on the economics of malware, which is 
y acknowledged. 



ACKNOWLEDGEMENTS - 5 



Acknowledgements 



ew study such as the one on the economics of mahvare (Part II) 
onsiderable debt along the way. First and foremost, we thank out 
wees, who gave generously of their time. They also provided 
: comments on a draft version of this report and checked and 
d the use of their quotes where appropriate. Their input is greatly 
iled. To maintain eon lidcnli alii y. none of those inten iewed is named 
XL 

:ial thanks go to our colleagues Mark de Uruijiic. Woller Lemstra 
n Groenewegen in Delft and Tithi Chattopadfiyay, Yuehua Wu in 
ising. They have provided invaluable contributions in the course of 
ect and we have greatly benefited f rom the exchanges of ideas with 

also would like to thank Anne Carblanc, Audrey Plonk and Sam 
c at Ihe OECD and Ronald van der Luil and Edgar de Lange at the 
tnds Ministry of Economic Affairs for supporting this research and 
r engaging questions and comments. Selected findings from this 
re included in the OECD's report on Malicious Software (Malware): 
ity Threat to the Internet Economy, developed in collaboration with 
,C Telecommunications Working Group. 

have given presentations to conferences on our findings, including 
Telecommunications Polity Research Conference (Alexandria, VA, 
ier 28-30, 2007), the LAP/CNSA/MAAWG Workshop (Arlington, 
9-11, 2007), the 2007 GOVCERT conference (Noordwijk, October 
007). Some of the very best feedback has been from the presentation 
interim findings at the meetings of ihe OECD WPISP and the 
>ps with policy makers at the Dutch Ministry of Economic Affairs. 



T.\]l].i;0!COXTENT5-7 

Table of Contents 



ive Summary 11 

ound 15 

The Scope of Malware 19 

r /. An Overview of Malware 21 

maiwarc? 21 

es malware wurk'.' 21 

e on mobile devices 27 

ilware Interne I botnets 27 

x botnets used tor".' 10 

Command and Control <('&C) models 10 

figures 11 

and broadband..... 11 

nil botnets 13 

of blacklists in combating botnets 15 

- 2. Malware Attacks: \\ hy. \\ hen and How? 41 

>f malware attacks 4 1 

: attacks on the DNS 41 

that modify data 44 

on identit) 45 

on single anil multi-factor authentication — 46 

on digital certificates and scenic socket layer (SSI.) 47 

lacks are perpetrated 48 

v attack trends 52 

jf malware attacks 53 



r3. Malware: Why Should We Be Concerned? 65 



c -enabling 1'actors 65 

;l s ol m n 1w;irc 67 

.ges to fighting malware 74 

. The Economies of Malware 79 

v4. Cyhersecn rilv and Economic Incent ives 81 



S3 fbcUS QD incentive slriicrlnres R2 

inomic perspective 84 



r.i. Survey of Market Participants: 

)rives Their S ecurity Decision s? 89 



: service providers 89 

nerce companies 103 

-e vendors 10" 

i registrars 122 

H3 

>.AJ. List of Interviewees 137 



' I he Market I nn>.ei|UtiKT>. of ( ylicrsecurity: 
ip Externalities and \\ u\s to Address I hem 139 



najor categories of externalities ....139 

ii lonal and efficiency effects 143 

r.-^nlis mi the costs Qtmabaans 145 

dings.. 146 



I. Malware: What Can Be Done? .... „ 149 

> I he Kith- of End I si rs, Business and Government 151 



liapanb 151 

,es and disincentives - Ihjrhliehls trom l*art II 152 

MCl on society at large.... 155 



rS. What Is Already Being Done".' 157 



ry of key efforts 157 

cuts, structures and initiatives that address malware 159 



TABLE OF CONTENTS - 9 



A. Background Data on Malware 195 

B. Research Design for Economics of Malware 209 

C. A Framework for Studying the Economics of Malware ..213 

ry of Malware Terms 227 

raphy 231 



■CERT incident reporting trends 24 

i five malware (2007) 25 

botnet lifecycle 29 

nmand and control for botnets 31 

ine ID theft attack system involving malware 51 

leral attack trends 52 

licious actors 54 

ibilily of malware vs. malicious intent 56 

; sustaining attack system using malware 58 

net infection rate of Korea (2005-2006) 1 75 

line ID theft trojan incidents handled by AusCERT 196 

;al artefacts by month 198 

w artefacts per month 198 

RT-FI Abuse Autoreport ei" monthly case processing volume.... 199 

ident reporting to KrCERT/CC by month (2005-2006) 200 

urination gathered from KrCERTr honeynets 200 

idents handles by NorCERT in 2007 201 

>jan incidents targeling UK banks 202 

rease in the number of new malicious programmes 202 

icrosoft malicious software activity 203 

'ojans verses Windows Worms and Viruses in 2006 204 

alicious code types by volume 205 

irmation industry value net 214 

rkets lor crime and security 21 A 

rkets for crime and security 217 

circuities with reputation.. 225 



ware: a hrief history 22 

mples of malware propagation veclors 26 

Dutch hotnetcase 17. 

: v. Dugger 35 

R stonian case 4? 

loser look at DNS 44 

two-factor token attack 47 

pfuhk-in with dipital certificates and SSI... 48 

ill som example: the Arhiveus 49 

case of Michael and Ruth llaephrati 5f) 

L'D Guidelines and the economics of c_\ hersccuriiy 83 

problem with prevailing research method*.... 86 

erosoft's Vista: an attempt to balance compatibility and 

:urity 118 

fergnj types of incentives 153 

ranary of sample dam on malware , 206 



EXECUTIVE SUMMARY - 11 



Executive Summary 



rred by Iho prevalence of a] ways -on. high-spccil connections. Ihe 
has become a powerful tool for enhancing innovation and 
vity. The increasing dependence on the Internet and other 
licalion networks, however, means Ihc Inlcrnci has also become a 
and efficient way to distribute computer viruses and other types of 
is software. 

uses", "worms" and "zombies"" might sound like science fiction, but 
in facl Ihe reality presented by the spread of malware. The power 
;at of malware are that it can infiltrate, manipulate or damage 
al computers, as well as entire electronic information networks, 
the users' knowing anything is amiss. 

of this has brought the electronic world to an important juncture. 
;laught of malware attacks is increasing, both in frequency and 
Million, thus posing a serious threat to the Internet economy and to 
security. Al Ihe same time, current efforts lo fight malware are not 
e task of addressing this growing global threat: malware response 
galion efforts are essentially frag men led. local and mainly I'eaelive. 

: report is a first step toward addressing the threat of malware in a 
lensive. global manner. As such, the report has three major aims: ( 1 ) 
■m policy makers about malware - its growth, evolution and 
ueasures to combat it; (2i to present new research inlo the economic 
es driving eyber-securily decisions; and (3) lo make specific 
ons on how the international conununily can better work together to 
the problem. 

need for a consisted approach lo a global problem is not new, but 
: presents particular challenges owing to the wide variety of actors 
on the problem: governments, businesses, end users and the 



> I'M MARY 



ight of the need for a holistic and comprehensive approach lo 
a common point of departure is needed from which to build co- 
n and collective action. This report calls for the creation of a global 
(alware Partnership" involving governments, the private sector, the 
1 community and civil society. 

nalware 

onger limited to the realm of computer hackers and tech researchers, 
: in the 2000s has become a serious business and a mulli-million- 
iminal industry. The major drivers can be summarised as follows: 
ware is widely available. Virtually anyone can buy it online al a 

cost, as well as from underground markets. And malware is user- 
, meaning it provides attackers with the capability to launch 
id, sophisticated attacks beyond their skill level. 
ware can infect all sorts of devices. Since it is nothing more than a 

software, malware can infect not only personal computers but also 
kbone of the Internet - the servers and routers that move data 
de. While malware often propagates through the Internet, it is 
it to note it can also be introduced into computer systems not 
;d to the Internet. 

ware is profitable. Together wilh other cyber tools and techniques, 
: is a low-cost, reusable way to carry out highly lucrative forms of 
me. Two prime examples are the capture of credit card and bank 
data via "spyware" and the launch of '"denial-of-service" attacks 
;xtort money or concessions. 



ware can harm critical information infrastructures, cause major 
I losses and, perhaps worst of all, undermine trust and confidence in 
net economy. Therefore, malware is increasingly a shared concern 
iternet market participants: governments, businesses and individuals 
OECD countries and Asia Pacific Economic Co-operation (APEC) 
ies. 

ermiients, for one, are increasingly dependent on the Internet for 
ig services, making tlieiu and their citizens vulnerable to malware. In 
to the complex and expensive task of securing their own systems, 



EXECUTIVE SUMMARY - 13 



iiineree companies lo software vendors - have had lo increase 
-related investments in order to expand their online business, 
key Internet market participants interviewed for this hook (please 
: II) were devoting an estimated 6% to 10% of their technology 
to protect against malware. Combined with indirect costs (such as 
watchdog organisations, public education campaigns and law 
nent efforts) the total costs of malware for key Internet market 
ints may well be above 10% of technology spending. 

trends 

-'xpkiined in Part I, the deployment of malware is becoming ever- 
iphislk'alod and targeted, presenting a great challenge to those 
ng to measure and combat the problem. Key findings include: 
Sell-sustaining cyber attacks increasingly depend on "botnets", or 
groups of mal ware-infected computers (also called "zombies") that 
can be used to remotely carry out attacks against other computer 
systems. 

Many malware attacks are smaller and deliberately limited in scope, 
in an attempt to stay "below the radar" of the security and law 

Spam has evolved from a nuisance, to a vehicle for fraud, to a vector 
for distributing malware. 

The overall malware problem is difficult to quantify: no single 
entity has a global understanding of the scope, trends, development 
and consequences of malware. 

Data on malware are not consistent, and terminology for cataloguing 
and measuring the occurrence of malware is not harmonised. 
The effectiveness of current approaches in combating malware is 
constantly challenged by both ongoing technological changes and 
faster exploitation of software vulnerabilities. 

economic incentives 

I great extent, cyber security is affected by the behaviour of the key 
market participants: Internet Service Providers; e-commeree 
ies: domain name registrars; software vendors; and end users. Part II 



at trade-offs are associated with these responses; and how the 
ition is affected by the security actions of other market participants, 
•y findings were: 

How key market participants address malware is greatly influenced 
by the specific incentives they face: greater online traffic vs. higher 
security costs, for example. Some of these incentives work to 
enhance online security while others work to reduce it. 
In many instances, market participants make decisions that pass on 
the costs of malware to others in the network (thus "externalizing" 
them), such as when end users opt not to protect their computers 
against viruses. 

Owing to existing feedback loops, which should be strengthened 
and expanded, the extent of passed-on costs and benefits is probably 
smaller than had been previously assumed. On the other hand, many 
of these passed-on costs remain unaddressed. 

>roach 

le this work details many of the problems presented by malware, it 
i first step towards a solution. I d prevent malware from becoming a 
threat to the Internet economy and to national security, a global 
hip against malware is needed. 

tide range of communities and actors - from policy makers to 
Service Providers to end users - all play a role in combating 
:. But there is still limited knowledge, understanding, organisation 
neation of the roles and responsibilities of each of these actors, 
refore, a global "Anti-Mai ware Partnership'" should involve not only 
tents, but also the private sector, the technical community and civil 
Such an inclusive, co-ordinated effort would be more likely to 
co-ordinated policy guidance to fight malware on all fronts - from 
nial to technical to legal and economic. 

: type of international co-operation should be supported and 
d by accurate measurement of the problem and analysis of the 
ng economics at play. Also, the limitations of current actions against 
: should be addressed, and the question of how to strengthen anti- 
: incentives for market participants should be further explored, 
roveinents can be made in many areas, and international co- 



BACKGROUND - 15 



Background 



Organisation for Economic Co-operation and Development 
i Working Party on Information Security and Privacy (WPISP) and 
ia Pacific Economic Co-operation Telecommunication and 
tion Working Group (APEC TEL) Security and Prosperity Steering 
Sl'S(i) have both experience and expertise in the development of 
uj dance for the security ol information systems and networks. 

Z002, the OECD adopted the Guidelines for the Security of 
tion Systems and Networks ("the Security Guidelines") which 
a clear framework of principles at the policy and operational levels 
■consistent domestic approaches to addressing information security 
a globally interconnected society. More broadly, the Security 
ies reflect a shared ambition to develop a culture of security across 
so that security becomes an integral part of the daily routine of 
als. businesses and governments in their use of Information and 
nieation Technologies tICTs) and in conducting online activities. 1 In 
d 20(1?, the OFCD monitored efforts hy governments to implement 
policy frameworks consistent with the Security Guidelines, 
g measures to combat cybercrime, develop Computer Security 
Response Tennis K'SIRTs), raise awareness, and foster education 
as other topics (OECD, 2005a). In 2006 and 2007, the OECD 
on the development of policies to protect critical information 
ictures (OECD, 2007c and 2008). 

wise, in 2002, APEC issued the APEC Cybersecurity Strategy 
I six areas for co-operation among member economies including 
:velopments, information sharing and co-operation, security and 
.1 guidelines, public awareness, and training and education. To 
tent the APEC Cybersecurity Strategy, in 2005 the APEC TEL 
the Strategy to Ensure a Trusted, Secure, and Sustainable Online 



;i) and AFEC objectives 



1005, (he APEC and OECD co-organised a workshop 10 share 
lion on evolving information securilv risk.-, and 10 explore areas (or 
co-operation between the organisations to better tackle the 
onal dimension of information security risks. In 2006, both 
iiions agreed lhal the need to encourage a safer and more secure 
:nvironment was more pressing than ever due to the continued 
■I economic and social activities conducted over the Internet and the 
d severity and sophistication of online malicious activity, 
lently, they decided to organise a workshop 2 and develop an 
al report to examine the issues of malicious software, commonly 
is "malwEtre", with a view to: 

Informing national policy makers on the impacts of malware. 
Cataloguing trends in malware growth and evolution. 
Examining the economics of malware and the business models 
behind malicious activity involving malware. 

Evaluating existing technical and non-technical countermeasures to 
combat malware ami identify gaps; and, 
Outlining key areas for action and future work. 

>ared by the OECD Secretariat in close collaboration with volunteer 
lent experts from OECD and APEC as well as the private sector, 
il l does not discuss every aspect of malware. all types of malware. 
opagalion vectors. Rather, it focuses on issues of significant concern 
is which may pose problems in the future. Similarly, the report does 
nine all possible strategies associated with preventing, detecting and 
ing to malware but rather focuses on elements of relevance to OECD 
countries, APEC economies, and other governments and 
ilions more broadly, finally, the report refers to forms of 
me, such as spam and phishing 3 that may not directly involve the 
lalware but nevertheless demonstrate how malware can also be used 
\ to facilitate cvbererime, 



BACKGROUND -17 



Notes 



ie United Nations, the Council of the European Union, the Asia Pacific 
:onomic Co-operation (APEC) and the Asia-Europe Meeting (ASEM) 
recognised and used the Guidelines in their work. 

lomtalum on the pint MM .( ( M .( ! • Mai ware Workshop is available at: 
vw.oecd.org/document/34/0,3343,en_2649_34255_3S293474J_l_l_l. 
*.html. 

lishing refers to a social engineering attack, where an attacker 
anipulates n user to disclose their online account access credentials or 
:ier personal lnRinnnlioa (typically) to a website in the control of an 
acker. According to this definition phishing may not directly involve 
ilware. However, when the term is used to, for example, also refer to 
rtain types of Trojan attacks, tnalware is implicated. 



i. THE SCOPE OF MAL WARE- 19 



Part I. The Scope of Malware 



of this book defines the various forms of malicious software 
-e) and their impact, growth and evolution. Specifically, Chapter I 
■ the major types of malware: Chapter 2 focuses on the types of 
; attacks possible and their perpetrators; and Chapter 3 explains the 
malware takes on the information and communications industry, as 
why malware is a growing and major concern for governments, 
es and citizens of OECD countries and APEC economies. 



I. AN OVERVIEW OFMALWARE- 21 



Chapter 1 . An Overview of Malware 



vare? 

ware is a general term for a piece of software inserted into an 
lion system to cause harm to that system or other systems, or to 
[hem for use other than that intended hy their owners. 1 
ware can gain remote access to an information system, record and 
a from lhat system to a Ihird party without Ihe user's permission or 
Ige, conceal that the information system has heen compromised, 
security measures, damage the information system, or olherwise 
e data and system integrity. 

erent types of malware are commonly descrihed as viruses, worms, 
liorses, backdoors, keystroke loggers, rootkits or spyware. These 
^respond to the functionality and behaviour of the malware [e.g. a 
sell' propagating, a worm is sel I' replicating ). Experts usually group 
: into two categories: family and variant. "Family" refers to the 
or original piece of malware; "variant" refers to a different version 
iginal malicious code, or family, with minor changes. 1 

cimracteristics of malware 

iough not the only means by which information systems can be 
niscd, malware provides allackers convenience, ease of use, and 
ion necessary to conduct attacks on a previously inconceivable 

ware is multi-functional and modular, there are many kinds of 
: that can be used together or separately to achieve a malicious 
|K>al. New features and additional capabilities are easily added to 
: to alter and "improve" ils functionality and impact (Danchcv. 



[EW OF MALWARE 



Box 1.1 Malware: a brief history 

were created for fun and worms were created to perform maintenance on 
cr systems. Malicious viruses did not surface until the 1980s when the 
-sonal computer (PC) virus. Brain (l'JS6). appeared and propagated when 
r "booted up" his/her computer from a floppy disc. Two years later, in 
ie Morris worm received significant media attention and affected over 6 
nputers. Although oilier types of malicious software appeared in the mid 
le landscape of the late 80s and early 90s predominantly consisted of 
Until about 1999, most people related viruses to the example of a 



e mid to late 1990s, the landscape began to change with the growth of the 
and personal computer use, the rise of networking, and the adoption of 
lie mail systems. The so-called "'hig impact worms" began to reach the 
in novel ways. The increased use of e mail brought high-profile mass- 




Melissa (1999), "I Love You" (2000), Anna Koumikova 
and Mydoom (2004) that made the headlines and entered 



lie consciousness. These types of worms doubled their number of victims 
ne-lo-two hours, rapidly reaching peak activity within 12-10-18 hours of 
eleased. This marked the parallel rise in organised, sometimes co- 
ld attacks. The explosive growth of online financial transactions resulted 
■ascd security incidents and in [be appearance of new types of malicious 
c and attacks. Today, mass worms and virus outbreaks arc becoming ever 

nient communities. The goals of the attackers tend to be focused on 
il gain. These new- trends help explain w by malware is now a global multi- 
dollar criminal industry. 



ware is available and user-friendly, malware. is available online at 
al cost thus making il possible lor almost anyone to acquire. There is 
obust underground market for its sale and purchase. Furthermore, 
! is user-friend I v and provides attackers with a capability to launch 
:ated attacks beyond their skill level. 

ware is persistent and efficient: malware is increasingly difficult to 
nd remove and is effective at defeating built-in information security 



LAN OVERVIEW OFMALWARE- 23 



'ware con affecl a range of devices: because malware is nothing 
in a piece of software, it can affecl a range of devices, from personal 
such as personal computers (PCs) or Personal Digital Assistants 
to servers'' across different types of networks. All these devices, 
g the routers that allow traffic to move across the Internet to other 
its, are potentially vulnerable to malware attacks. 
ware is part of a broader cyher attack system: malware is being 
th as a primary form of cyber attack and to support other forms of 
is activity and cybercrime such as spam and phishing. Conversely, 
d phishing can be used to further distribute malware. 
ware is profitable: malware is no longer just a fun game for script 
or a field of study for researchers. Today, it is a serious business 
rce of revenue lor malicious actors and criminals all over the world. 

together with other cyber tools and techniques, provides a low 
isable method of conducting highly lucrative forms of cybercrime. 

ilware work? 

ware is able to compromise information systems due to a 
ition of factors that include insecure operating system design and 
software vulnerabilities. Malware works by running or installing 
i an information system manually or automatically. s Software may 
vulnerabilities, or "holes" in its fabric caused by faulty coding. 
; may also be improperly configured, have functionality turned off, 
in a manner not compatible with suggested uses or improperly 
ed with other software. All of these are potential vulnerabilities and 
for attack. Once these vulnerabilities arc discovered, malware can be 
:d to exploit them for malicious purposes before the security 
lity has developed a "fix", known as a patch. Malware can also 
riise information systems due to non-technological factors such as 
:r practices and inadequate security policies and procedures, 
iv types of malware such as viruses or Trojans require some level of 
.Taction to initiate the infection process such as clicking on a web 
n e-mail, opening an executable file attached to an e-mail or visiting 
:e where malware is hosted. Once security has been breached by the 
rfcclion, some forms of mnhvaiv auiomalicallv install additional 



IEW OFMALWARE 



;y have received a notice from their bank, or a virus warning from 
;m administrator, when they have actually received a mass-mailing 
TJther examples include e-mail messages claiming to he an e-card 
unspecified friend to persuade users to open the attached "card" and 
id the tnalware. 

ware can also he downloaded from weh pages unintentionally by 
i recent study by Google that examined several billion URLs and 
I an in-depth analysis of 4.5 million found that, of that sample. 700 
ned malicious and that 450 000 were capable of launching malicious 
ids (Google, Inc. p. 2). Another report found that only about one in 
bsiles analysed were malicious by design. This has led to the 
on that about 809r of all web-based tnalware is being hosted on 
t but compromised websites, unbeknownst to their owners (Sophos, 
4). 

if fere nt report found that 53. '^i of all malicious websites observed 
sd in China (Sophos, 21)07, p. 6). The United States ranks second in 
; study with 27.2'i of malicious websites observed located in there, 
norc, the data provided below demonstrates that by mid-2ti( 17 
: on web pages accounted for 58.2% of the incident reports received 
United Stales Computer Emergency Readiness Team (US-CERT). 



I US-CERT incident reporting trends for January 2006 - August 2I)U7 

lislrihulion of eyhLTsocuriiy hidden is :ind Lvenls ;ilti>s* ( ht± si \ major L-iiltgories 




ST (200*). 



I. AN OVERVIEW OFMALWARE- 25 



imber of incidents involving malware (malicious code) has 
intly increased from 2006 to 2007. 

ire 1.2 below depicts the lop live malware sub-calegories being 
to US-CERT. The category labelled as "Malware" includes 
wormy and viruses. The graph shows "Malicious websites" as the 

m mo nly reported sub -category. 



Figure 1.2 Top five malware (2007) 




US-CERT. 



: United States Computer Emergency Readiness Team 
ERT)? 

artnership between the Department of Homeland Security (DHS) 
public and privale sectors. Established in 2003 to prated America's 
infrastructure, US-CERT co-ordinates defense against and 
is to cyber attacks across the nation. The organisation interacts with 
agencies, stale and loeal governments, indusin professionals, and 



IEW OF MALWARE 



ware propagation vectors refer to the electronic methods by which 
; is transmitted to the information systems, platforms or devices it 
■ infect. Email and instant messaging applications are some of the 
ommon vectors used for spreading malware through social 
'ing techniques. Any medium thai enables software 10 he distributed 
:d, however, can be a vector for malware. Examples of malware 
tion or distribution vectors include the World Wide Web (WWW), 
>le media (such as USB storage keys), network-shared file systems, 
sharing networks. Internet relay chat (IRC), Bluetooth or wireless 
:-d networks ( WLAN). 1 1 

;tooth is one prominent vector for malware propagation on mobile 
Bluetooth is a wireless personal area network (PAN) that allows 
such as mobile phones, printers, digital cameras, video game 
laptops and PCs to connect through unlicensed radio frequency 
irt distances. Bluetooth can be compromised by techniques .such as 
ing and bluesnarting 1 " and is most vulnerable when a user's 
ion is set to "discoverable" which allows it to be found by other 
tluetooth devices. 1 " 1 

Box 1.2 Examples of malware propagation vectors 

; Malware ean be "mass mailed" by sending out a large number of e-mail 

with malware attached or embedded. There are numerous examples 
I malware propagated through mass-mailers largely dae to the ability of 
actors to use social engineering- to spread malware rapidly across the globe. 
Vtaiekers are increasingly using websites to distribute malware to potential 
'his relies on spam e-mail to direct users to a website where the attacker 
nalware capable of compromising a computer by simply allowing a hrov 
n to the website. If the website is a legitimate and popular site, user- v, Ml 
their own accord allowing their computers to potentially become 
ompcomised without the need for spam e-mail to direct them there. There 
nethods of infection via the web: compromise existing web .site to host 
or set up a dedicated site to host malware on a domain specially registered 

essenger programmes, instant messages could also contain web links that 
user to another site hosling downloadable malware. Once a user clicks on a 



LAN OVERVIEW OFMALWARE- 27 



x 1.2 Examples of malware propagation vectors (continued) 

!<jrk-shared file systems: A network share is a remotely accessible digital 
rage facility on a computer network. A network share can become a 

■ liability for all network users when access to the shared files is gained by 
ns actors or malware, and the network file sharing facility included within 
rating system of a user's computer lias heen otherwise com promised. 

programmes: Some malware propagates ilself by copying itself into 
it assumes to be shared (such as those with share in its folder namel, or for 
it activates sharing, and uses an inconspicuous or invisible file name 
' posing as a legitimate software, or as an archived image). 
■net Relay Chat (IRC): IRC is a form of Internet chal specifically designed 
tup communications in many topical "channels," all of which are 
ously and anonymously available from any location on the Internet. Many 
rasters" (as the malefactors who operate networks of mat ware - 
l/compromised machines are oflen called; see the chapter "The Malware 
: Botnets") use IRC as the cental command and control (C&C) 
ideations channel for co-ordinating and directing the actions of the bol 
l/compromised information systems in their "hornet" 
tooth: Bluetooth is a w ; ire less nelv, orkir.g protocol that allows devices like 
phones, printers, digital cameras, video game consoles, laptops and PCs to 
: at very short distances, rising unlicensed radio spectrum. Because the 

■ mechanisms implemented in Bluetooth devices tend to be trivially 
:d, such devices are vulnerable to malware through attack techniques 
rave been called "bluejacking" or "bluesnarfing" A bluetooth device is 
ulnerable to this type of attack when a user's connection is set to 
erable" which allows it to be found by other nearby bluetooth devices. 
less local area network (WLAN): Wireless LAN or WLAN is a wireless 
ca network, which is the linking of two or more computers without using 
WLAN utilises spread-spectrum or OFDM (802.11a) modulation 
ngy based on radio waves lo enable communication between devices in a 
area, also known as the basic service set. 'this gives users the mobility to 
'ound within a broad coverage area and slid be connected to the network. 



mobile devices 

re is some dehale around the current seriousness of threats to mohile 
such as cell phones, PDAs, and smartphones. 14 For example, some 
ceil] to indicate that 11 treats to mohile devices are still limited. These 



mobile devices are restricted by bandwidth because there is a 
limited amount of spectrum allocated for their use; 
the very small user interface is still an impediment to conducting 
Internet banking and other value transactions - until mobile devices 
become a popular means to conduct such transactions there are 
fewer incentives for attackers to develop malware for the mobile 
telephone platform 16 ; 

the cost associated with using general packet radio service (GPRS) 
to connect to Internet Protocol (IP) data networks may also make the 
mobile device less popular compared to Internet-connected PC 
which use technologies such as ;M ; inmetric digital Mibseriber line 
(ADSL), cable or broadband wireless. 

.'ever, there is also recognition that .such threats, while emerging, are 

.1 * ■!... I.i, I.- Hi. it .Jrli. -ii.-Ii t.li r..l.ii,-...l-. 1. 1. ill .ii pit. ..i. 

imount of PC malware, mobile malware, which first appeared in 
creased from only a few instances to over 300 in total in a two-year 
Hypponen, 2006). 

her, concerns about security increase as mobile devices become 
svalent and are used to access more critical or 'valuable' services. 17 
nple, the use of smartphones is on the rise with projections as high 
uillion in use by 2009 (Hypponen. 2006). In 2006. Apple announced 
lumber of video iPods had been shipped to customers with the 
iE virus. 18 Many experts are concerned that mobile malware will 
come far more dangerous to the mobile devices Ihemselves, the 
networks over which those devices communicate and the corporate 
s, servers and/or personal computers with which those devices 
e information. Undetected malware on a smartphone could get 
■ed to a corporate network and used to perform further malicious 
s (iGillottResearch Inc, 2006). 

e Internet: botnets 

; a botnet? 

jw prevalent form of malware. botnets are key tools altaekers use to 
a variety of malicious activity and cybercrime. A botnet is a group 
'are infected computers also called "zombies" or bots thai can be 



LAN OVERVIEW OFMALWARE- 29 



ommonly referred lo as "bot herders" or "bot masters" that can 
.he botnel remotely. The hots are then programmed ami instructed by 

herder to perform a variety of cyber attacks, including attacks 
g the further distribution and installation of malware on other 
:ion systems. Malware, when used in conjunction with botnets, 
ittackers to create a self-sustaining renewable supply of Internet- 
;d computing resources to facilitate their crimes (sec figure 3). 
f the malware discussed earlier in this report is distributed using 

There is thus a cyclical relationship: malware is used to create 
and botnets are used lo further distribute spam and malware. 

ire 1.3 demonstrates the relationship between malware and the 

ppen: something can be stolen (e.g. information, money, 
cation credentials etc.) and the infected information system can 
pari of a bolnet. When an infected information system becomes part 
net it is then used to scan for vulnerabilities in other information 
connected lo the Internet, thus creating a cycle thai rapidly infecls 
>le information systems. 



Figure 1 .3 The botnet liiccycle 




[EW OF MALWARE 



itnets used for? 

rets are mostly used for the following purposes: 

Locate and infect other information systems with hot programmes 

(and other malware). This functionality in particular allows attackers 

to maintain and build their supply of new bots to enable them to 

undertake the functions below, inler alia. 

Conduct distributed denial of service attacks (DDoS). 

As a service that can he bought, sold or rented out. 

Rotate IP addresses under one or more domain names for the 

purpose of increasing the longevity of fraudulent web sites, in which 

for example host phishing and/or malware sites. 

Send spam which in turn can distribute more malware. 

Steal sensitive information from each compromised computer that 

belongs to the botnet. 

Hosting the malicious phishing site itself, often in conjunction with 

other members of the botnet to provide redundancy. 

Many botnet clients allow the attacker to run any additional code of 

their choosing, making the botnet client very flexible to adding new 

attacks. 

imand and Control (C&C) models 

ically, bots communicate with the hot master through an Internet 
hat (IRC) command and control (C&C) server which provides the 
ons directing the operation of the botnet. The C&C server usually is 
If a compromised computer running various network services. After 
iter system is infected and compromised by a hot program, the bot 

h there are various C&C models, the most popular has traditionally 
: centralised model (see Figure 1 .4) where all hots report to a single 
to wait for commands. The centralised model is popular among bot 
because it offers software tools that make it easy to operate, 
nore, the centralised model results in few communication delays 
the hot master and the bots (Trend Micro. 7m<\\. Inereaslu.'l'v. 



licalions to or from their network as it is hidden among the vast 
of norma] web traffic, 



.dlei native iiinovalive C&C model designed to make it more difficult 
rily practitioners to stop botnet hosted attacks is the increasing use 
eer to peer (P2P) model (see Figure 1.4) (Govcert.nl, 2007). The 
jeer model lacks a central hicrarchv of communication which makes 
et more resilient to dismantling (Trend Micro. 2005). It is therefore 
ly difficult lo slop attacks launched from hot nets thai communicate 
!P as there is no single point of failure. 




ddition to the models above, hotnets are increasingly using what is 
is "fast flux" networks to evade detection. Fast flux networks are 
s of compromised computer systems with public DNS records that 
constantly thus making it more difficult to track and shut down 
is activity (The Honey net Project, 2007). Furthermore, this mode! 
is the traditional centralised C&C server and uses proxies to hide (he 
xintrolling the fast flux network. 



es 



EW OFMALWARE 



:rs are connected lo Ihc Internet, whether they have been "cleaned", 
let" the attacker is using his boluet to locate and compromise more 
:ion systems to add to the hotnet. Furthermore, there are incentives 
herders lo use smaller bolnels and launch smaller, more targeted, 
to avoid detection. For example, large hotnels sending spam or 
iug DDoS attacks generate a high volume of network traffic that is 
delectable by ISPs and network administrators, whereas smaller 
hat use less bandwidth may go undetected. 

lets have become a contracted commodity. Malicious actors can hire 
i hot master to carry out an attack. One report averaged the weekly 
ite for a botnet at USD 50-60 per 1 000-2 000 bols, or around 33 
Der compromised computer (MessageLabs, 2006). This is 
inarily cheap compared to the cost of the computer to the legitimate 
i terms of hardware, software and bandwidth. 



Box 1.3 The Dutch botnet case 

ctober 2005 the Dutch National Police arrested three men - members of a 
of cyber criminals - suspected of large scale "hacking". The men 
ed several botnets that were thought to have consisted of over 1 .5 million 
I computers. The bolnels played a key role in numerous cyber crimes 
ig: phishing, identity theft, online fraud, and online extortion. In due 
it became clear that botnets played a central role in the activities of the 
criminals by serving as the basic infrastructure that allowed for the 
ful attacks. 

inc 2005 a report was made to the CERT community in the Netherlands 
important Netherlands-based computer centre had been hacked. The 
community in turn reported the incident to the High Tech Crime Unit 
ly the Dutch National High Tech Crime Center) of the Dutch National 

d on information combining IP addresses and the name of the suspect 

e. To determine the size of the botnet and the illegal activities of the 
. all IRC protocol traffic in Ihc intercepted data was analysed. Il was clear 
s botnet was very large and used multiple IHC channels on multiple IRC 
In this specific investigation, the team realised thai the criminals 
ed at least two large botnets used for their cyber crimes and that even after 
aiding the criminals. Ihc possibility existed that the botnels would still be 



LAN OVERVIEW OFMALWARE- 33 



prevalence of botnets has been increasing. Although estimates of 
iber of hot nuts can vary widely, most experts agree it is a large 

For example, in 2006, the Chinese National Computer Network 
icy Response Technical Team Coordination Center tC.NCURT/CC j 
. that 12 million IP addresses in China were controlled by hotnets 
37). They also found more than 500 botnets and more than 16 000 
ommand and control servers outside China. 



broadband 

increased threat of hotnets can partially he explained by the 
d use of broadband connections to access the Internet. Further 
ire needed from users, as well as providers, to protect their security 
vacy in the online environment. By 2004, broadband Internet 
:ons were already widespread in OECD countries. For example, in 
of households and 92% of businesses had a broadband 
:on via a computer or mobile phone in 2004 (OFCD. 2005). In the 
ig two years, those numbers have continued to increase. At the end 
, there were around 2fo million active .subscribers to fixed Internet 
ons in OF.CD countries. Of these, 60 f -i were using broadband 
and broadband subscriptions have increased by more than 60'* a 
;rthe last five years. By mid-2006, there were more than 178 million 
nd subscribers in the OECD area. European countries have 
:d to advance, with Denmark, the Netherlands and Iceland 
ng Korea and Canada in terms of broadband penetration rates over 
year (OECD, 2007). 

broadband transition to taster upload bandwidth via fibre could 
e botnet problem much more severe. The potency of one infected 
:r on a fibre connection could be equivalent to 3 1 infected computers 

and 44 computers on cable networks." 11 This will be one of the key 
f concern tor policy makers dealing with telecommunication 
s and security in the near future. 

tilnets 

re is a correlation between botnets and spam due to changes in 



IEW OF MALWARE 



(Sophos. 2006a). bor example, Ihe second most common malicious 
miiy reported from January - June 2006. Bomka. was a Trojan 
iclable from a link provided in a spam e-mail that used social 
"ins: techniques to persuade the user thai the link was the site of a 
ip (Symantec, 2006). The problem of spam and malware is also 
and self-sustaining. Information systems compromised In malware 
to distribute spam and a proportion of the spam that is distributed is 
I to distribute malware to new victims whose information systems 
ised to undertake further online malicious activity. 

important to note that not all spam contains malware, and it is often 
to determine how much spam iliivcllv contains malware. Manual 
conducted by The Information and Communication Security 
ogy Center (ICST) in Chinese Taipei over the course of two years 
suspect e-mails found thai of those 417 analysed, 287 (68%) 
:d malware attachments (Liu, 2007, p. 3). 22 Other data shows that in 
dy 1.5%, or I in every 67. 9 e-mails analysed, contained a virus or 
and according to Ihe same report, in 2005 the annual average was 
r 1 in every 36.1 (Message!. abs. 2006). It is likely that the disparate 
f these findings can be explained by a lack of comparable teehniuues 
nine when spam contains malware. 

;ntly, the Messaging and Anti-Abuse Working Group (MAAWG) 
that the percentage of email identified as "abusive"" 1 has been 
tig between 75% and 80% (Messaging Anti-Abuse Working Group, 
'he\ attribute the fluclualion lo .service providers dealing with new- 
introduced by abusers to escape service providers' deleclii >n 
., including filters. Nonetheless, it is widely accepted that the vast 
of spam is sent from bolnets. The effectiveness and wide 
lity of compromised information systems with high speed broadband 
ons means that spam levels are at their highest levels ever despite 
itiatives lo reduce and prevent spam being distributed. 

lough civil enforcement against spam, such as the case described 
s important, most instances of malware are inherently criminal, and 
law enforcement agencies are best suited to expertly shut down 
minal operations. 



I. AN OVERVIEW OFMALWARE- 35 



Box 1.4 FTC v. Dugger 

ie recent case, the US Federal Trade Commission (FTC) sought to stop the 
ing use of botnets to send spam (FTC v. Dugger). The FTC alleged thai 
"endants relayed sexually explicit commercial e mails Ihrough olher 
; home computers without their knowledge or consent. They further 
thai Ihe defendant's conduct violated the CAN SPAM Act. Under the final 
:lie defendants were barred from violating the CAN SPAM Act and 
i to turn over USDS 000 in profits made through use of the botnet. The 
itits were also required i<> obiuin ihe authorisation of a computer's owner 
using it to send commercial e-mail and to inform the owner how the 
er will be used. 



riacklists in combating botnets 

:klisting is a loosely used term typically referring to the practice of 
.-called DNS Blacklists (DNSBL) to filler incoming Internet traffic, 
vers may be configured to refuse mail coming from IP addresses. IP 
ir whole networks listed on a specific DNSBL. There is a wide 
if blacklists thai may be used in different combinations. 

;1 of the lists are free and run by volunteers, though their operations 
funded through external sources. Lach DNSBL has its own criteria 
iding an IP address in the list and its own procedure for getting an 
off Ihe list. Spamhaus, an international non-profit organisation 
Ihrough sponsors and donations, maintains several well-known 
:s - though they prefer the term block lists - which they claim are 
protect over 600 million user inboxes. One of their lists contains the 
',s of "spam-sources, including spammers, spam gangs, spam 
us and spam support services'"; another list focuses on botnets which 
n proxies. It should be noted at this point that blacklisting, while 
lly powerful, has drawn its own criticisms - regarding, among other 
'igilantism of blacklist operators, listing false positives, the collateral 
that may come with blacklisting certain IP addresses or ranges, and 
ncial motives of some list operators. Furthermore, blacklists have 
gal challenges from spammers, who on occasion were successful in 
" conn verdicts against bein" blacklisted. According to interviewees 



[EW OFMALWARE 



sting and ISPs 24 

■Misting does provide an incentive to invest in security because it 
impacts an ISP's business model. For example, one medium-sized 
irled a security incident where 419 spammers""' set up over 1 000 e- 
rounts within their domain and then started pumping out spam. That 
ISP's outhound mail servers blacklisted, which resulted in a high 
of calls to their customer centre by customers who noticed their e- 
is no longer being delivered. That number doesn't include the 
g abuse notifications, of which there were purportedly "even more." 
ier example, a security officer at a large ISP explained that being 
ed led to a much more proactive approach to remove bols from their 
, including the purchase of equipment that automates the process of 
ng infected machines on the network (Eeten and Bauer, 2008). In 
i7, this particular ISP identified around 50 customers per day and, if 
inter did not resolve the problem, the connection was suspended. 

re are various levels of blacklisting used to incite a response from an 
the lower end. there is blacklisting of individual IP addresses, i.e., an 
al customer. This has "exactly zero impact on the ISP," said a 
expert. Only when the number of listed IP addresses reaches a 
hrcsliold might the problem gel an ISP's atleaiion. According to Ilk- 
ISPs mostly ignore listed individual IP addresses, because of the 
v high costs of dealing with them (c.«. through customer support), 
nore, particular IP addresses gel taken off the blacklist as spammers 
;ers move on to other infected machines. 

e power Hi! incentives are the blacklisting of whole IP ranges and of 
d mail servers. These typically do gel the ISPs" attention and lead to 
I action on their end, though the effectiveness varies with the degree 
ince applied by the ISP. The most extreme form is blacklisting an 
stwork (i.e., all IP addresses of an ISP). This is only used against 
■ i i ■ i i . .... i ..- .. | ■ ... 



sting and Domain Name Registrars 

istrars offering hosting and e-mail services are subject to 
.ing along the same lines as the ISPs. Blacklist operators also watch 
> and. their responsiveness to abuse complaints. Lu exltvme cases. 



LAN OVERVIEW OFMALWARE- 37 



ic.al did not comply wilh these requests, citing legal constraints. The 
■ argued that it could not legally remove the sites, unless Spamhaus 
i clear proof that the domain names had heen registered using false 
lion lSokolo\. 2007). The conlhcl escalated \Uion Spamhaus added 
ound mail server of Nic.at to one of its blacklists - listing them as 
upport" - so that the registrar's e-mail was no longer accepted by 
titude of servers using this popular blacklist. About ten days later 
us changed the listing of Nic.at to a symbolic listing - no longer 
blocking the IP addresses, but keeping them listed as "spam 
" Several of the offending domains had been removed, but Nic.at 
hat it had complied with Spamhaus' request and asserts that the 
providers took action (ORF, 2007; Spamhaus, 2007). 



Notes 



le 1992 OECD Guidelines for the Security of Information Systems and 

•/works defined an information sysiem as computers, communication 

:iliiies, computer and communication networks and data and 

formation that may he stored, processed, retrieved or transmitted by 

;m, including programmes, specification and procedures for their 

■eration, use and maintenance. 

e the Glossary of Mai ware Terms at the end of this book. 

>r example, Vv^.SoherffSiimi (also known as Sober) was the primary 

urce code of the '"Sober" family. Sober. X is a variant of Sober. (See 

<manr.ee, 2006, p.67). 

3st refers to a computer at a specific location on a network, 
:e Chapter 2 lor a discussion of digital certificates. 

rvcrs arc generally more powerful computers which provide services to 
:id accept connections from! many clients however home PCs and 
rporate workstations can also act as servers, particularly when they 
come compromised. Common types of .servers include web. e-mail and 

ript Kiddie refers to an inexperienced malicious actor who uses 



oviding information or taking an action which leads to the subsequent 

each in information systems security. 

e Box 1 ,2 for additional detail of propagation vectors. 

iteiaeking consists in sending unsolicited messages to Bluetooth 

nnected devices. Bluesnarfing enables unauthorised access to 

formation from a wireless device through a Bluetooth connection, 

bile Bluclootli can have a ran tie of I Of) metres lor laptops with powerful 

uisniitters. il has a more limited range for mobile phones, usually 

aund 10 metres. 

Smartphone is a cellular phone coupled with personal computer like 
nctionality. 

personal area network (PAN) is a computer network used for 
inmunieation among computer devices (including telephones and 
rsonnl digital assistants) close 10 one person. The devices may or may 
I belong to the person in question. The reach of a PAN is typically a 

vices themselves, or for connecting to a higher level network and the 

icsc transactions arc possible as is demonstrated by the Japanese 
;irket. See BBC (2007)b). 

>r example, some financial institutions that wish to imp lenient 
msaction signing and avoid providing customers with a separate smart 
rd reader, may in future provide support tor transaction signing through 
; use of a customer's own mobile telephone PDA. In this way, the 
.ibile PDA also is likely to be targeted to sulnerl the transaction signing 
ocess. As discussed in the glossary, transaction signing is only effective 
the keyed hash lor the transaction is calculated on a device that can be 
tsted. 

5te that the virus was transmitted to the device through a Windows 
mputer on the production line. See 

tp ://www. apple. cmii/support/wiiiduwsvirits/. 



LAN OVERVIEW OFMALWARE-39 



centos automated tasks. It is most widely used in (he context of Internet 
:lay Chat (IRC) where users can create and use hot scripts for online 
ming, co-ordinating file transfers, and automating channel admin 
mmand lliggDrop is one of the oldest of such benign IRC bots). The 
:t that botnets often rely on IRC bots for command and control by 
■linaslers might explain why the term "hot" is so popular in the literature 
d discussions related to malware. 

lis is the same protocol that enables both encrypied ihttps) and 
encrypted (hup) web based eoiiimunieations to occur. Blocking this 
iff i c would prevent web access to a network. 

ic infected computer on a fibre connection with 100 Mbit/s of upload 
pacity could theoretically cause as much damage as 390 infected 
mpnters with upload speeds of 236 khil/s. The average advertised 
■load speeds for broadband in the OECD in October 2006 was 1 Mbit/s 
r DSL, 0.7 Mbit/s for cable and 31 Mbit/s for FTTx. 
ite that this data is based on self-selected spam that fits a certain 
legory or type and therefore is representative of a smaller sample set. 
irthermore, this data does not include Ihe mass mailing w orms/viruses, 
AAWG uses the term "abusive" because definition of spam can vary 
eatly from country to country. 

lis lexi has been extracted Iron) (he original report. .See Helen. M. .1. van 
d J. M. Bauer (2008), pp. 33-34. 

lis is an advance-fee fraud in which the target is persuaded lo advance 

r 419 fraud). The number "4! 9" refers to (he article of (he Nigerian 
■iminal Code dealing with fraud. 



)ter 2. Malware Attacks: Why, When and How? 



lware attacks 

numerous types of malware can he used separately or in 
ition to subvert the confidentiality, integrity and availability of 
tion systems and networks. Likewise, a range of different attacks can 
ucted to reach different goals, such as denying access to critical 
tion systems, conducting espionage, extorting money (e.g. ransom), 
ing information (e.g. ID theft). Malware can also be used to 
nise authenticity and non-repudiation, or conduct attacks on the 
Name System (DNS). 1 

g access 

ying access to digital data, network resources, bandwidth, or other 
services (denial of service - DoS) is a common goal of attacks 
lahvaiv. Popular targets include companies lhal conduct business 
nd risk losing significant revenue for every minute their website or 
is unavailable, and governments who rely on websites to provide 
I services to their citizens. These attacks are usually used for 
; (for example, to hurt a competitor or an organisation against whom 
:ker holds a grudge or grievance), extortion, or for politically and 
cally motivated purposes (Messmcr and Pappalardo, 2005). 

•Ated Denial of Sen-ice (Dl)oS) attacks 

most well known and perhaps most common method to deny access 
luted denial of service attacks (DDoS). DDoS attacks seek to render 
misation's website or other network services inaccessible by 
:fming them with an unusually large volume of traffic. 2 Malware 
v contributes to DDoS attacks hy creating a renewable supply of 



! ATTACKS; WHY. WHEN AND HOW? 



Ihe service una 1 , tillable lu most or all ol" ils legitimate users, or at 
"lading performance for everyone. 

pie DDoS attacks use a distributed network of hots (called a botnet) 
c a particular target. The more complex DDoS attacks use multiple 
to simultaneously attack the target. In traditional DDoS attacks, 
are used to send massive amounts of queries and overwhelm a 
However, low and slow attacks, a recent trend noted by some 
experts, occur over a longer period of time and use a small amount 
width from thousands if nut millions, of compromised computer, 
e attacker co-ordinates the attack so that not all the hots will attack 
M at the same time, hut rather on a rotating basis. The victim and the 
Service Provider may not notice that their network traffic has 
d but over time, it becomes a drain on their infrastructure and other 



Box 2.1 The Estonian case 

lay 2007, a series of cyber attacks were launched against Estonian 

re rendered inaccessible at various points, including those of the foreign 
ice ministries. Most of Ihe attacks were launched usiny bolnels comprised 
thousands of ordinary computers. 

lia's computer emergency response team I LE-CTRT) acted swiftly and, in 
ation with partners from the international community, was able to weather 
:riOUS attack with little damage. The attack was primarily defended through 
- blocking connections from outside Estonia. For example, Estonia's 
argest bank, SEB Eesti Uhispank. Mocked access from ah road to its online 
service while remaining open to local users. One major contributor to the 
of their services domestically during the attack was the fact that Estonia 
domestic Internet exchange points (lXPs). 4 

: weeks after the attacks ended, one researcher identified at least 128 
attacks on nine different websites in Estonia. Of these 128 attacks, 35 
portedly against the website of the Estonian Police, another 35 were 
ly against the website ol" the Ministry ol" finance, and 36 attacks were 
Mil' Lsu 'iiiar par I i a merit's, prime mini-ae; s. ar.il general Liovcrinncm 

further been estimated that some of the attacks lasted more than 10 hours, 
i 05Mbps, and peaked at afoul million packets per second. While this may 
e a lot. other attack, considered "his:" hv security cxinals usuulh peak at 



iS attacks have been launched against governments for various 
i including political or ideological ones. For example, Swedish 
lenl websites were attacked in the summer of 2(KI(i as a protest 
the country's anli -piracy measures. More recent events in Lslonia 
sed an interesting discussion on what a cyber attack of this nature 
jr countries. 

icks on the DNS 

eks using "recursive resolvers". While these attacks use recursive 
s as their force -multiplier, they need not be directed at DNS targets 
llhough that's where they do the most damage. They can just as 
>e the DNS to conduct DDoS attacks against other targets. This type 
k uses the DNS as a weapon against something else, whereas the 
igainst the DNS root servers, described above, use something else as 
n against the DNS. 

« attacks are often possible due to poor configuration of an 
ition's DNS server, which allows it to service DNS requests from 
■e on the Internet - not just from its own network. Recursive DNS 
;ire indirectly related to malware only in so far as they use a small 
of compromised information systems to send fake DNS requests, 
ither forms of DDoS attack, it does not depend on a large number of 
vork or be more effective. It is important to note that the purpose of 
e or amplification attacks is not to deny service to Ihe DNS system 
ul rather to the DNS server of a single organisation. This has the 
if making the IP routing unresolved to the entity's domain name and 
outbound DNS requests lor the organisation difficult because of the 
stion of resources a( (he organisation's DNS server. Although 
: is not always directly involved, it is also an example of how a user 
's configuration can have a negative impact on others' security. 

ia in -name tasting. Another trend in which malware may be 
ed, but not directly involved, is the practice of domain name tasting, 
name tasting is the practice of adding a grace period 1 "' to the 
ion of domain names so that the registrants can test the profit 
I of the domain names. During this period, registrants conduct a 
etit analysis to determine if the tested domain names return enough 
i olTsel I lie registration lee paid to the re^islrv o\er the course ol the 



! ATTACKS; WHY. WHEN AND HOW? 



ard was declined. The process has been exploited lo permit the 
ion of domain names in bulk. Although difficult to prove, it is likely 
,e "tasted" domains are used to distribute malware. 



Box 2.2 A closer look at DNS 

Domain Name System (DNS) is like an address book for the Internet. It 
sers to navigate, send and receive information over the Internet. Every 
er connected to the Internet uses a unique address which is a string of 
s called an "IP address" (IP stands for "'Internet Protocol").' Because IP 
es are difficult to remember, the DNS makes iisin j; the Internet easier by 
g a familiar string of letters (called die "domain name") to be used instead 
umeric IP address. For example, instead of typing 193.51 .65.37, users can 
ivw.oecd.org. It is a "mnemonic" device thai makes the addresses for 

unain name consists of various parts, the lop-level domain (TLDs) and the 
iains. TLDs are the names at the top of the DNS naming hierarchy, 
inly used generic TLDs include .com, .net, .edu, etc. Also, there are 
y 244 country code TLDs (ccTLDs), such as jp, ,au, .de, etc. The 
;trator for a TLD controls the second-level names which are recognised in 
D. The administrators of the "root domain"" or "root zone" control what 
re recognised by the DNS. 

s .ft (France), .cn (China), etc. This is critical information. If the 
ition is not 100% correct or if it is ambiguous, it mighi not be possible to 
. key service on the Internet. In DNS. the information must be unique and 

data in the DNS is stored in hierarchical and widely distributed sets of 
;s known as "name servers", which are queried by "resolvers". Resolvers 
n part of the operating system or software on the user's computer. They 
1 to respond to a users request to resolve a domain name - that is, to find 
esponding IP address. 

Iiucrncl (.'(irporalUi]) lor .Wijjncil Names am) Numbers, 



modify data 



output (screen or printer), and storage (USB. hard disk or memory), 
once a system is compromised, the integrity (i.e. trustworthiness) of 
re system can no longer he relied upon. Attacks on integrity are 
y a precursor to oilier attacks, such as the theft of sensitive data, or 
feature of an attack on authentication. However, attacks on integrity 
an end goal. For example, modifying entries in a datahase to 
; fraud or deleting a company's customer database lor commercial 
; or modifying settings on a SCADA system used for gas 
ion may be designed to lead to a harmful malfunction of that 

ther currently popular attack that modifies data is compromising a 
and inserting an Iframe' 1 , which infects regular visitors to that site, 
can be inserted into legitimate websites to link to malware hosting 
t can then compromise the user. 

dentily 

re are substantial differences between statistical information 
I on ID theft by public authorities for policy purposes versus that 
I by private businesses for commercial purposes. Some sources 
: that the scale of ID theft has gone down in the past years, resulting 
ing consumer confidence. In contrast, other sources advance figures 
g an increase in ID theft. Furthermore, some financial institutions, 
ly that the costs are relatively modest, are not willing to reveal their 
laneial losses, tin the other hand, other private bodies advance 
reflecting an increase in ID theft. To further complicate the 
>c, some financial institutions even claim that none of their 
rs has ever been affected by a phishing attack (Devillard. 20(16). 
re some data to illustrate the debate around ID theft: 

In 2006, the Netcraft toolbar, an anti-phishing tool developed by the 
Netcraft toolbar Community 10 , blocked more than 609 000 
confirmed phishing URLs, a substantive jump from 41 000 only in 
2005 (Netcraft Toolbar Community, 2007). Netcraft views this 
dramatic surge, mainly concentrated in November- December 2006. 
as the result of recent techniques implemented by phishers to 
automate and propagate networks of spool' page-, enabling the rapid 
deployment of entire networks of nfushm" sues on cracked \wb 



! ATTACKS; WHY. WHEN AND HOW? 



increase since September 20flri. However, in its December 2006 
report the APWCj notes a decrease in the number of new phishing 
sites (which dropped to 28 531) (APWG, 2006b). 
The US Federal Trade Commission reported in 2003 that ID theft 
affected approximately 10 million Americans each year (US FTC, 
2003). 13 In 2007, another report found that ID fraud had fallen about 
12% from USD 55.7 billion to 49.3 billion (Javelin Research and 
Strategy, 2007). 

However, the Javelin report was criticised and regarded as Irving to 
persuade the opinion that "'business are doing an adequate job in 
protecting consumers' personal information and that the onus in on 
consumers to belter protect themselves" (Shin, 2007). A recent 
McAfee survey noted this discrepancy, considering Javelin's 
percentage as '"surprisingly low" and comparing them to Gartner 
statistics, which, in contrast, in 2007, counted 15 million of 
Americans as victims of ID theft (McAfee, 2007). 

ingle and multi-factor authentication 

cks on single-factor authentication, such as a username and reusable 
d, using malware are widespread and highly effective. Such attacks, 
cks on integrity, are precursors to stealing information of value via 

the compromised computer. Single-factor credentials for computer 
online banking accounts, virtual private network (VPN) remote 
nd the like are all vulnerable to capture via keyboard, screen, mouse 

protected storage (or similar areas) within the information system 
then easily replayed by an attacker to access the relevant accounts or 

.cks on some forms of multi-factor authentication are also possible 
jc occurred. For example, most simple forms of multi-factor 
cation, including the use of a hardware token which generates aone- 
issword and challenge -re spouse with a short time to live are 
>le to malware attack. For example, a Trojan, once installed on the 
omputer simply watts for the user to establish a legitimate login 
with their bank using their multi-factor credentials. Then the Trojan 
• a funds transfer in the background without the user's authori-air-Hi 



m lo success l"u 1 1 y aLilhunticulc lo L -gold's website, then creating a 
browser session, and using various spoofing tricks to empty the 
account. Because the stealing and spoofing started after the 
cation is completed, it circumvented anv authentication that was put 
. While the e-gold Trojan did not attack multi-factor authentication 
it was an early example of malware able to transfer funds in the 
und after the user legitimately logs on to their e-gold account which 
ive defeated any type of multi-factor logon authentication that did 
implement transaction signing (Stewart, 2004). 



Box 2.3 The two-factor token attack 

ight variation of the two-factor token attack involving a hybrid phishing 
Iware attack, reportedly targeted ABN AMRO's online banking customers 
'. The attacker sent potential victims an e-mail purporting to be from their 
',e. ABN AMRO). If recipients opened an attachment to the e-mail, 
e was installed on their computers without their knowledge. When the 
;rs next visited their banking site, the malware redirected them to the 
-controlled website that requested their security details, (i.e. their PIN) 
Mime password (OTP) generated by the hardware token. As soon as the 
■s received these details they were able to log into ilic customer's account 
■eal ABN Amro site, before the expiry of the automatically generated 
enabling them to transfer the customer's money. As single-factor 
ication for high value transactions are replaced by multi -factor 
ication, this type of attack will become more commonplace. 
Outlaw.com (2007) and The Registar (2007). 



ligital certificates and secure socket layer (SSL) 

.tal certificates and Secure Socket Layer (SSL) connections are often 
protect the confidentiality and integrity of data sent over the Internet 
verify the authenticity of the remote host (most commonly to 
cate a remote server). While these protections are useful, they do not 
security at the end points of a transaction, but generally only the 
in between. While an SSL session is established, data needs to be 
:d und decrypted as data are transferred back and forth between the 
its. When a users' machine has been compromised by malware 14 , the 
ng sent can he captured before encryption occurs - and for data 
I - after it has been decrypted. F.fforts lo provide a higher level of 



! ATTACKS; WHY. WHEN AND HOW? 



Errors and warnings due to invalid SSL certificates are frequently 
highly technical in nature and therefore confusing to users. 

According to one usability study performed, consumers most often 
ignore the absence of an SSL connection before entering personal 
data, or ignore warnings provided (Dhamija, 2007). 

When organisations use self-signed certificates, "un trusted signer" 
warnings may be displayed and generate confusion for users. 
In some cases, malicious site operators have been able to obtain 
legitimate SSI. certificates from Certificate Authorities (Krebs, 
2006). 15 



Box 2.4 The problem with digital certificates and SSL 

gital certificate"' is a mechanism to establish the credentials of a person or 
onducting business or transactions online. It is often used within SSL' 7 
\i sessions The use of digital certificates within SSL protected sessions is 
s of" building trust and confidence in e-commerce and e -government 
ions. However, some Tonus of malware when installed on a user's 
er tan wait for a lejdlimule SSL session lo be eslablisheJ wilh a particular 
. for example a specific online hanking site, and then inject HTML code 
browser interface before the legitimate remote web site page renders on 
's computer. 

has the effect of changing the content and appearance of the web page 
lough the remote site has not been modified), while the user's computer 
intains a valid SSL connection with the remote host. A check of the SSL 
certificate, by the user, will show that it is a valid certificate for the remote 
hat the user sees on the screen and the dnUi the user is prompted lo input, 

virtually impossible for users to know whether or not they have a secure 
ion with a legitimate remote hosl - and by inference - whether what they 
ic browser window is the content of the legitimate remote hosl. Therefore, 
of digital certificates within SSL-protected sessions, as a means of 

verifying the identity of a remote web domain, has been fundamentally 



i are perpetrated 



;ess and restore Ihe data.' 1 ' Although this type of malware is not as 
it as other types of malware, there were several high profile cases in 
at raised attention around the issue (Sophos, 2007a). Such attacks, 
y deny the user/owner access to their own data, but harm the 
ilialilv and integrity of that data hy the attacker's unauthorised 
j it and encryption of it. 



Box 2.5 A ransom example: the Arhiveus 

paying a ransom in return for the restoration of the files. 

n users tried to access their files, they were directed to a file containing 

ions on how to recover the daiu. The insiructions began: 

TRUCTIONS HOW TO GET YOUR FILES BACK READ CAREFULLY. 
'OU DO NOT UNDERSTAND - READ AGAIN. 

.- is Ihe automated report generated by auto archiving software, 
r computer caught our software while browsing illegal porn pages, all 
r documents, text files, databases in the folder My Documents was 
lived with long password. 

cannot guess the password for your archived files - password length is 
e than 30 symbols that makes all password recovery programmes fat! to 
'e force it (guess password by trying all possible combinations), 
not try to search for a programme that encrypted your information - it 
•>ly does not exist in your hard disk anymore. Reporting to police about a 
' will not help you, they do not know the password. Reporting somewhere 
tit our email account will not help you to restore files. Moreover, you and 
t people will lose contact with us, and consequently, all ihe encrypted 

nany of these eases the attacker encrypts files such as personal 
aphs, letters, household hudLieis and other content. To retrieve their data, 
ere required to enter a 30 character password which they were told would 
able after making purchases from one of three online drug stores. 

Sophos (2007b). "Security Threat Report Update July 2007". 
mnsxiiiii/seaihty/wldtepupenJ. accessed 12 December 2007. 



! ATTACKS; WHY. WHEN AND HOW? 



the UK's public and private critical information infrastructure, 
rojans were assessed to he seeking coven gathering ami transmitting 
eged in formation (NISCC, 21)0?}. Malware of this sort can also be 
companies and oLher organisations lo gather information about their 
tors as demonstraled by die below example. 



Box 2.6 The case of Michael and Ruth Haephrati 

larch of 2006, Michael and Ruth Haephrati were extradited to Israel from 

1 Haephrati is said to have developed and refined the programme while his 
(nth, managed business dealings with several private investigation 
ies which bought it and installed it on the computers of their clients' 
itors. Specifically, the Trojan horse is believed to have been used to spy 
\nni Rahav publie relations agency (whose clients include Israel's second 
mobile phone operator. Partner Communications), and the HOT cable 
:>n group. Another alleged victim was Champion Motors, who import 
id Volkswagen motor vehicles. 

Bricr-Hacphrati was formally charged with aggravated fraud, unlawful 
er access, virus insertion, installing lapping equipment, invasion of 
, managing an unlawful database, and conspiracy to commit a crime, 
I Haephrati was charged with lesser offenses as the prosecution regarded 
Ruth's assistant because his job was only to perfect the programme and 
to the needs of specific clients. 
Messagelabs (2006) and Sophos (2006c). 



if information 

r the past five years, information theft, and in particular online 
(ID) theft 20 , has been an increasing concern to business, 
tents, and individuals. Although malware does not always play a 
ole" , ID theft directly using malware has become incrcasiiigh 
i with the rise of backdoor Trojans ami oilier stealthy programmes 
: on a computer system and capture information covertly. 

. and can use multiple Internet servers to distribute spam and 
:, compromise users' information .systems, and then log the stolen 
mother website controlled b\ the attacker or send it It) Ihc attacker's 



2. MALWARE ATTACKS; WHY, Wf-IEN AND HOW'J - 51 



use of multiple domain names and multiple hosts or bols (and their 
id IP addresses) is designed to increase the time available lor 
g the sensitive in formal km and reduce the effeeli veness of efforts re- 
organisations (such as banks). CSIRTs and ISPs to shut down 
nt sites. Under the domain name system (DNS), attackers are able to 
and easily change their DNS tables - ' to reassign a new IP addresses 
alent web and logging sites operating under a particular domain/ 4 

effect is that as one IP address is closed down, it is trivial for the 
emain active under another IP address in the attackers DNS table, 
riple, in a recent case IP addresses operating under a single domain 
langed on an automated basis every .30 minutes, and newer DNS 

have made it possible to reduce this time to five minutes or less, 
"s may use legitimate existing domains to host their attacks, or 

specially created fraudulent domains. The only viable milifalinii 
; to the latter situation is to seek de-registration of the domain 
RT, 2006). 



Figure 2.1 Online ID theft attack system involving malware 




! ATTACKS; WHY. WHEN AND HOW? 



aek trends 

dynamic nature of malware keeps most security experts constantly 
lokoul for new types of malware and new vectors for attack. Due to 
plex technical nature of malware, it is helpful to examine overall 
ends to better understand how attacks using malware are evolving, 
nlioned previously, the use of malware is becoming more 
:ated and targeted. Attackers are using increasingly deceptive social 
"ing techniques to entice users to seemingly legitimate web pages 

actually infected and/or compromised with malware. Figure 2.2 
rs the types of attack that seem to be on the increase, those that are 
iut of favour, and those for which the trend remains unclear or noi 
.. 

Figure 2.2 General attack trends 



I that seems to be prevalent or on the rise 

I that seems to be declining 

i for which the direction is unclear 







lended. or multi-laceted or 
hased a Hacks 






Teenage "for fun" 
hacking 










mailer scale "targeted" 
Hacks 




<=!> 


Malware on mobile 




ociai engineering 










<^ y | DDoS attacks 


pam delivered by botnets 
















Serious worm and virus 




Jlalware in legitimate websites 




1 


outbreaks 










sing spam e-mail to entice 




I 


attacks 





2. MALWARE ATTACKS: WUY.WNLiN AND HOW'J - 53 



ilware attacks 

;in refers to both where the attackers who launch the attack are based 
tc the computer systems that actually attack the targeted system arc 
In most cases, it is easy to see where the attacking computer 
are hosted based on their Internet protocol or "IP" addresses, but 
oi usuallv sufficient to identify the person responsible lor launching 
;k. For example, "spoofing" is a technique designed to deceive an 
ned person about the origin of. typically, an e-mail or a website. 25 
cover, rarely is the attacker located in the same geographic region as 
.king hosts. It is common practice among cvhcrcrmiinals"' to use 
nisctl computers I and to a lesser extent anonymous proxies ' ) hosted 
eign legal jurisdiction lo launch their attacks. This protects their 
and provides additional computing resources beyond what they 
therwise afford. Criminals are acutely aware of the significant 
ional impediments that hinder or even prevent cybercrime 
ations from being conducted if the crimes are sourced 
onally. 

ware is now spread around the world and rankings lend to show 
vhole host of countries across the developed and the developing 
ire home to online criminals using malware. Although attacks 
arg from one country may have local targets, the predominant trend 
;s that originate internationally relative to their targets. In addition, 
by may play a role depending on the end goal of the attacker. For 
:, broadband Internet speeds differ from country to country. If an 

wishes to maximise network damage, he/she may use compromised 
:rs located in countries where broadband is prevalent. If the goal is 
ide service or steal information over time, the attacker may use 
nised computers from a variety of geographical locations, 
ihical distribution allows for increased anonymity of attacks and 

identification, investigation and prosecution of attackers. 



[ ATTACKS; WHY. 



Figure 2.3 Malicious actors 

The Innovators 

3d individuals who devote iheir time to finding security holes in systems 

ew environments to see if they are suitable for malicious code 

ige 

ce the challenge of overcoming existing protection measures 

The Amateur Fame Seekers 

s of the game with limited computing and programming skills 
for media attention 
iady-made tools and tricks 

The Copy-Catters 

be hackers and malware authors 

for celebrity status in the cybercrime community 

ted in recreating simple attacks 

The Insiders 

ntled or ex-employees, contractors and consultants 
ge or theft 

dvantage of inadequate security aided by privileges given to their 
1 the workplace 

Organised Crime 

motivated, highly organised, real-world cyber-crooks; Limited in 
nitless in power 

core of masterminds concentrated on profiteering by whichever means 
'ounding themselves with the human and computer resources to make 



: Inc. (2006), "Virtual Criminology Rqmri 2007 Organized Crime and the Internet". 
e.cam/us/ihreai center/white paper.html. 

is actors 



v. th.fi. mnliriniisi netors:? 



2. MALWARE ATTACKS: WHY. WULiN AND HOW'J - 55 



inised Crime" 2 * based on a recent report on criminal activity on line, 
lortant to note, however, that there is also a whole category of actors 
totivations are political or ideological rather than solely financial. 

le a certain amount of crime is always '"local", the vast majority of 
rime crosses jurisdictional boundaries and international borders thus 
> the criminals' risk of identification and prosecution. Because many 
; attacks are not able to be traced back to the people that conduct 
is difficult to provide authoritative insight into the nature of groups 
iduals involved in the proliferation of the various types of crime, 
r, some law enforcement and financial institutions are actively 
1 in monitoring and investigating the money trails arising from 
nt fund transfers as a result of phishing and ID theft Trojan related 
These investigations involve identification of money mules, who are 
als recruited wiuinglv and often unw itlin^h h\ criminals, to 
; illegal funds transfers from bank accounts. 

ire 2.4 illustrates the evolution of malware in terms of malicious 
'the actors showing a clear evolution from fame seeking "techtes" to 
s motivated by financial gain. 

re their capabilities and motivations? 

ig increasingly complex. But while the sophistication of the attacks 
increase, the knowledge required to carry them out significantly 
is. Although this might seem counterintuitive, it can largely be 
d to the increased market for malware. The majority of today's 
i are motivated adversaries who are capable of purchasing malware 
urcing attacks to more sophisticated attackers. 



! ATTACKS; WHY. WHEN AND HOW? 



figure 2.4 \ isil>ilil\ oi m:il\N ai l \ s. HKiliiiolls intent 

worms 




jo vccrt . n I , www. go vc e rt. nl. 

e business model 

expert recently noted that "creating one's own hot and selling up a 
i now relatively easy. You don't need specialist knowledge, but can 
download the available tools or even source code" (McAfee Inc., 
!n addition, "off-the-shelf kits with ready-made Trojans can be 
ided from the Internet. Some versions are guaranteed by the authors 
n undetected hv security defences and some even include a "service 
reement" by which the author guarantees, for a certain period of 

create new versions for the criminal once the original malware is 
.. It has been estimated that this service can cost as little as USD 800 
.cl.abs. 200(i). In addition, manv malicious, services, such as botnels, 
lable for hire. 

ware, and by extension its main propagation vector, spam 30 , are 
:igly combined as key underpinnings ot criminal techniques to make 
the rapidly evolving "Internet economy". Malware has evolved into 
tarket" money-making schemes because it offers such a profitable 
; model. Malware techniques are becoming increasingly 



2. MALWARE ATTACKS: WlIY.WIlLiN AND HOW'J - 57 



□rale espionage, or Co gain access to privileged or proprietary 
lion or to deny access to critical information systems). 

attackers continue to remain successful at Launching attacks, the 
; economy becomes self-perpetuating. Spammers, phishers, and 
/ber criminals arc becoming wealthier, and therefore have more 
I power to create larger engines of destruction. It is a big business, 
;d by wealthy individuals, with multiple employees and large 
s of illicit cash. In addition to an increased frequency and 
;alk>n of attacks, the amount of damage is significant." 1 

lern attacks demonstrate an increasing level of convergence, with a 
ition of spam and social engineering designed to yield the greatest 
profitability to the attacker. In addition, today's attacks often consist 
es of waves each having a specific purpose. A simple attack will aim 
ng up a list of valid e-mail addresses. It will be followed by e-mail 
arvested accounls containing viruses with a payload that makes a 
.■stem part of a bolnel. Once part of a bolnel, the machines arc often 
disseminate phishing emails which in turn produce the attack's 
y return. 

conomic rationale for malware 

ail is not at an economic equilibrium Ivlween the sender and the 
t because it costs virtually nothing to send. All the costs of dealing 
am and malware are passed on to the Internet provider and the 
ng" recipients, who are charged for protective measures, bandwidth 
* connection costs, on top of the costs of repairing the computer or 
ost money to scams. At the same time, criminals minimise (heir costs 
Heme: they pay no tax, escape the cost of running a genuine business, and 
nmission only to others in criminal circles worldwide and at a 
lively low price. 

cost to malicious actors continues to decrease as freely available 
>rage space increases. Further, the use of hotnets makes it easier and 
saper to send inalware through email. Today's criminals often have 
o cheap techniques for harvesting email addresses as well as easy 
to malware and outsourced spamming services. Anti-detection 
tes are constantly evolving to make it cheaper to operate, and 
l.s actors can easih switch IS IN i f I heir ac[i\ il\ j> delected and their 



! ATTACKS; WHY. WHEN AND HOW? 



i the malware itself and the compromised computers being used to 
aunch malware attacks are a low cost, readily available and easily 
tie resource. High speed Internet connections and increased 
kh allow for the mass creation of compromised information systems 
:iprise a self sustaining attack system as illustrated by Figure 2.5. 
nore, malicious actors can replace compromised informal ion 

that have been disconnected or cleaned, and they can expand the 
of compromised information systems as the demand for resources 

malware and compromised information systems) for committing 
me also grows. 



Figure 2.5 Sell' siisluiiiing ;iti:n k system using malware 




te: this fi«ui"o shmvs how malware is use J to create a soli' sustaining 



ying business process 

underlying business processes for spam and malware largely follow 



2. MALWARE ATTACKS; WHY, Wf-IEN AND HOW'J - 59 



(lathering of addresses, targeted or not, and/or developing or 
acquiring control of a botnet. 

Delivering spam, with or without malware, from other people's 
computers through botnets. 

Publishing fraudulent websites to capture users' data. 

lis pattern, certain groups of attackers are active in the entire value 
tart ing with the development of the malware and performing the 
of the spam and/or malware, all the way to laundering the money 
'clean" bank account. Much of the criminal market, however, is 
ed into clusters of expertise with the opportunity to source partners 
, primarily through Internet Relay Chat (IRC) channels, 
jund bulletin boards, and online forums. 

ninals develop, maintain and sell malware, botnets, spam 
:sion software, CDs full of addresses harvested from web pages, lists 
proxy servers and lists of open simple mail transfer protocol 
" relays. The lists of addresses or controls of a botnet are then 
ut or sold. These lists are often inexpensive at around USD 100 for 

ttle or no cost, the only hard costs are various "utilities" such as 
Ith, Internet connection, e-mail addresses, or weh hosting, and even 
n be financed illegally. 



le the use of malwi 


ire to facilitate 


cybercrime, particularly crimes 


;d by illicit financia 


1 gain, has inci 


eased, the money made through 


is online activity ha 


s become incn 


;asingly difficult to trace. As in 


lal criminal investi 




g where the money goes by 


g the cash flows 


could providt 


: essential information on the 


s. However the victi 


ms of online m 





■ pay by wire transfers (46% of online scams transactions in the US 
). followed by card payment (2X'i ). both much preferred for their 
id the potential to mask tracks easily, by comparison with cheques 
which now represent less than 10% of the payments. " These types 
; ents are fast and can be made almost anonymously through the use 
pie financial accounts across borders. Alternative payments systems 
"e-Gold' or PayPal used by criminals further down the chain make it 
;>re difficult to trace financial movements. Users of these online 
: services can open an account usim! a fraudulent name ami deploy a 



! ATTACKS; WHY. WHEN AND HOW? 



Notes 



"Indirect attacks on the DNS" below for further information on types 



lere the vulnerability exists. DOS^ttacks of this type can beTectified, 
wever. by applying the software or firmware patch, or implementing 
me other work-around. In the ease of Hood attacks, the ability to 
itigate is more difficult and protracted and hence the impact is 
■tentially more serious. 

:e Chapter 1, "The Malware Internet; Botnets'" section, for a 
mprehensive discussion of hots and bolnels. 

1 1nternet exchange poi 111 < IX or IXP) is a physio! infrastructure that 
ows different Interne! Service Providers (ISPs) to exchange Internet 
iffic between their networks by means of mutual peering agreements, 
lich allow traffic to be exchanged without cost. IXPs reduce the portion 
an ISP's traffic which must he delivered via their upstream transit 
oviders, thereby reducing the Average Pcr-Bit Delivery cost of their 
rvice. Furthermore. IXPs improve routing efficiency and fault- 

ir example, a senior official was quoted by The Economist saying "If a 
smber State's communications centre is attacked with a missile, you call 
an act of war. So what do you call it if tile same installation is disabled 
th a eyber-attack?"; see The Economist (2007), "A cyber riot", 10 
ay.. 

le Add Grace Period (AGP) refers to a specified number of calendar 
versed and a credit may be issued to a registrar. AGP is typically the 
le Internet Protocol (IP) allows large, geographically diverse and 



-.1 



lis is a theoretical proposition only. The authors are not aware that such 
ber attacks have occurred involving the use of malware. 
Frame" is the hybrid of inline frame, and describes an HTML element 
lich makes it possible to embed another HTML document inside ihe 

stance an advertisement) from another website into the current page, 
le Nt'lcnill toolbar Community is a digital neighbourhood wuich 
heme in which expert members act to defend all Internet users against 
ishing frauds. Once the first recipients of a phishing e-mail have 
ported the target URL, it is blocked for toolbar users who subsequently 
cess that same URL. 

lese packages, known broadly as Rockphish or Rll, each included 

■zens of sites aimed at spool ing major banks. 

lis includes all types of ID Theft, online and offline. 

Gold is a 'digital currency', but which is backed by real gold and silver 

>red in banks in Europe and the Middle-East. E-Gold can be used as a 

• ability to capture data transmuted during Lin SSL session - not just 
-jse which also include HTML injection functionality. 

digital certificate is a means of authenticating an identity for an entity 
lcn doing business or other transactions on the web or on line. Digital 
rlificales exist as part of public key infrastructures (I'Kll. PKI uses 
blic key cryptography and an associated hierarchical infrastructure of 
ot Certification Authorities (CAs) and Registry Authorities to process 
.niests for, issue and revoke certificates. Even when a digit. il certificate 

rify thai they Lire a legitimate business entity or own a panicuhr domain 
d others, which may be issued by a LA. have only low assurance levels, 
the CA has provided only very basic checking to verify that the entity 
who it is claiming to be. A certificate contains the entity's name, a 
rial number, certificate expiration dates, a copy of the certificate 
■ldcr's public key (used for encrypting messages and verifying digim! 



1L is a crypto graphic protocol used to provide secure communications 
. the Interne!, for such things us web browsing, e-mnil. Internet l'u\ing. 

ore recent versions of the Hnxdoor Trojan also have ihe ubility to use 
rML injection. See AiisCERT (2006). 

has been assessed that such attacks are not likely to gain popularity as 
\ organisation with a basic level of preparedness should have back-up 
pies of their data available. However, it may also be that individuals are 
■t aware of this risk, or simply lack basic security education to protect 
;mselves from malware. 

:e OECD (2008b), where Identity Theft is defined as the unlawful 
inster, possession, or misuse of personal information with the intent to 
mmit, or in connection with, a fraud or other crime, 
entity theft attacks most often use social engineering techniques to 
nvince the user to necessarily disclose in formal ion lo what they assume 
a trusted source. This technique, known as Phishing. does not directly 
ly on the use of malware to work. It uses deceptive or "spooled" e-mails 

rsoual information. However, as many phishing attacks arc launched 
nn spam emails sent from bolnets, malware is indirectly involved as it 
used to create bolnets which are in turn used lo send the spam e-mail 
ed in phishing attacks. Malware would he directly implicated when the 
am e-mails contained embedded malware or a link to a website vvhere 
rdware would be automatically downloaded, 
lis is a technique known as "fast flux". 

DNS table provides a record of domain names and matching IP 
■JS and attacks against the DNS. 

hen spoofing is used, identifying the source IP address of an e-mail or 
.-bsiie is usually a futile effort. It is also possible to spoof Ihe source IP 
dress of an IPv4 datagram, thereby making real identification of the 
urce IP address much more difficult. It should be noted that this is often 
■I required for an attack lo succeed or can be counter-productive for the 
acker if the objective is to steal data from a computer. The use of 
onytnising technologies could pose a more serious problem for 



:rc vvc refer to cybercriminals who arc conducting attacks full-time for 
icil 1'iiiiiiieial gain and may have an area of specialisation or be involved 
a variety of business lines such as phishing. Trojans, spam distribution, 
ckfraud, malware development, etc. 

computer networks, a proxy server is a server (a computer .system or an 
plication programme) which services the requests of its clients by 
rwarding requests to other servers. A client connects to the proxy 
ever, requesting some service, such as a file, connection, web page, or 
lier resource, available from a different server. The proxy server 
ovides the resource by connecting to the specified server and requesting 
; service on behalf of the client, A proxy server that removes 
■undying information from the client's requests for the purpose of 
onymity is called an anonymising proxy server or anonymiser. 
ir example, see Symantec (2007) p. 9. 

(rganised crime" is used loosely in this context and often refers to a 
oup of profit-motivated criminals who trade services with one another 
an open marketplace. 

i discussed previously in this paper, not all spam contains malware 
■wever the majority of spam is sent from information systems that have 
en compromised by malware. 

:e Chapter 3, "Malware: Why Should We Be Concerned?" for a 
icussion of the impacts from malware. 

triple Mail Transfer Protocol (SMTP) is the de facto standard for e-mail 
msmissions across the internet. 



litcd States National Consumer League / National Fraud [reformation 
;nter (2006), p. 2. 



3. MALWARE: WHY SHOULD WE BE CONCERNED? - 65 



ter 3. Malware: Why Should We Be Concerned? 



•in i will of mal wan.-, and the increasingly inventive ways, in which it 
used to steal personal data, conduct espionage, harm government 
aess operations, or deny user access to information and services, is a 
lly serious threat to the Internet economy, to the ability to further e- 
lent for citizen services, to individual's online social activities, and 
lal security. 

abling factors 

capabilities of malware make it a prevalent "cyhercriminal tool", 
r, broader economic and social factors may contribute to its 
d occurrences and the robust state of the malware economy. The 
ig describes some of those factors which, while they bring important 

to society, also facilitate the existence and promulgation of 



and Internet and its users 

005, the International Telecommunication Union estimated 216 708 
Ked" broadband Internet subscribers in the world (ITU, 2007). 
nore, it is generally agreed that there are an average of 1 billion 
users in the world today. As the number of subscribers and users 
s, so does the number of available targets for malware. The 
d prevalence of high speed Internet and the availability of 

ully carry out attacks as they can compromise computers at faster 
it: llie bandwidth to send massive amounts of .spam and conduct 
Hacks, lililhci inoi c. I he-.'.' "a!\\ a\ s on" connection-, allow nlal icioll-. 



important to note dial while broadband technologies arc an cnahli iiij 
it is the behaviours associated with these technologies that are 
atic. For example, people often fail to adopt appropriate security 
s when using broadband technologies and therefore leave their 
.on open withoul [he appropriate security si illware installed. 



ore services available online 

:t governments, consumers and businesses depend on the Internet to 
their daily business. In 2004, the OECD found that, in most OECD 
s, over 90% of businesses with 250 or more employees had access 
iternet. Firms with 50 to 249 employees also had very high rates of 
OECD, 2005). Home users rely on the Internet for their day to day 
s including shopping, banking or simply exchanging information 
ducting e -government and e-commerce transactions. As the amount 
services continues to increase, so does the likely community of 
eessing these services on line. This in turn increases (he available 
for attack or exploitation which provides further incentive for 
s to conduc! malicious activity. 



: ng system and software vulnerabilities 

more vulnerable the technology, the more likely it is to be 
ble through malware. For example, the security firm Symantec 

a 12% increase in the number of known vulnerabilities from the 
f of 2006 (January-June 2006) to the second half (June-December 
hieh they largely attribute to the continued growth of vulnerabilities 
[ipplicaiions (Symantec, 2007). Microsoft also reported an increase 
i 2 000 disclosed vulnerabilities from 2005 to 2006. The increase in 
>ilities corresponds to an increase in incidents. Microsoft reported an 

in the number of machines disinfected by its Malicious Software 
1 Tool from less than 4 million at the beginning of 2005 to more 
million at the end of 2006 (Microsoft, 2006b). 

important to note that the absence of known rcparted vulnerabilities 
tware product does not necessarily make that product more secure 
5 that has known reported vulnerabilities - it may simply be that 
effort has not been expended to find them. In addition, tools that find 
)loit vulnerabilities are improving; companies are doing more 



3. MALWARE: WHY SHOULD WE BE CONCERNED? - 67 



target average Internet user 

on the Internet increases, so do the tnalware threats they^face. 
ers and business are increasingly expose J to a new range of 
:, targeted attacks that use malware to steal their personal and 

ly Internet users are not adequately informed about how they can 
manage their information systems. This lack of awareness and 
enl action or inaction contributes to the increasing prevalence of 
:. Most malware requires some form of user action or acceptance to 
te. Recent surveys from \ arious organisations show that while more 
e taking measures to protect their information systems, a large 
ige of the population lacks basic protective measures. For example, a 
sort commissioned by the Australian ( iovernmcnl. Tm.sl and Growth 
Online Environment, found that only one in seven computers in 
a uses a firewall and about one in three uses up-to-date virus 
)n software (OECD, 2007b). After hearing descriptions of 
e" and "adware," 43% of Internet users, or about 59 million 
in adults, said they had had one of these programs on their home 
;r (Brendler, 2007). 

European Commission's Eurobarometer E-communications 
.ild siavey. observed an increase in consumer concerns about spam 
ises in 2001] (European Commission. 2007). for some EC Member 
ip to 45% of consumers had experienced significant problems. In 
the cases, the computer performance decreased significantly, in 27%- 
=ases a breakdown was observed. In the same survey, 19% of 
:rs had no protection system at all on their computers. Other daia 
igesls that home users are the most targeted of all the sectors 
ng for 93%: of all targeted attacks and thus highlighting that weak 
Lirity is one important enablcr of malware (Symantec, 2007). 

malware 

nany cases, the consequences of inadequate security measures are 
il" or borne by others in society. For example, if one user's computer 
;d to a network or the Internet is inadequately protected and 



image. It could also be a response to improved security defenses, 
v. signalling thai large-scale bolncls arc ^.lui 1 1 ]v i 1 1 l?. in size does nol 
ily mean that the counter measures are effective. It might he that 
s have found smaller and more focused botnets to be more 
le. In short: hecau.se malicious attack trends are highly dynamic, it i.s 
to draw reliable conclusions from them regarding economic 

t'ever, considering the growing proportion of compromised 
:ion systems connected to the Internet in any single country and the 
ig challenges to detect and remove malware, the impacts of malware 
ly are, in ail probability, rising as a result. 

ial impacts - sample data 

lough precise data on online criminal activity and the associated 
I losses are difficult to collect, it is generally accepted that malware 
les significantly to these losses." Further, where data on cybercrime 
conomic impact are available, businesses and governments are often 
t to share it publicly. 

association of banks in the United Kingdom estimated the direct 
aused by malware to its member organisations at GBP 12.2 M in 
BP 23.2 M in 2005, and GBP 33.5 M in 2006, an increase of 90% 
1)4 and 44% from 2005 (Whittaker, 2007). It is important to note that 
reel losses are not fully representative of the actual financial impact 
lo nol measure diminished customer trust in online transactions, loss 
ation, impact on the brand, and other indirect and opportunity costs 
challenging to quantify. Likewise, they do not include costs, such as 

■s. costs associated with the procurement of security tools (such as 
is and anli-malwarc software i. or loss of productivity caused by the 
of employees to interact with a system when affected by an attack. 

recent survey of 52 information technology professionals and 
-s estimated a slight decline in the direct damages associated with 
from EUR 12.2 billion in 2004, to EUR 10 billion in 2005, to EUR 



3. MALWARE: WHY SHOULD WE BE CONCERNED? - 69 



ed the annual loss to United States businesses at USD 67.2 billion 
/eminent Accountability Office, 2007). 

iougb the tnal ware -related costs of security measures are considered 
ary, estimates provided by market participants in the empirical study 
d in Part II of this hook ranged from 6-10% of the capital cost of 
ns (Van Eeten, 20081. No clear estimates of the effects of malware 
Liling expenses were available, although the study found that most 
itions did experience such effects (see Part II, '"Survey Results on the 
' Malware"). There was evidence throughout the empirical research 
srn that such effects are important, although no specific indication as 
magnitude is available. 

cost to individual consumers may be even more difficult to 
: however, it is likely significant. One example is the United States 
□nsumcrs paid as much USD 7.8 billion over two years to repair or 
information systems infected with viruses and spyware (Brendler, 

le most of the data are not comparable across studies, and the 
are often limited in scope, they do illustrate the magnitude of the 
I impact, for both businesses and consumers, resulting from 

Also, the collective public costs of fighting malware - ranging 
: costs of maintaining public-private monitoring organisations, to the 
public education campaigns and law enforcement - add to these 
:osls. Finally, there arc the potentially high indirect costs of malware 
urn of slower migration to efficiency enhancing forms of electronic 
ions. The research study presented in Part 11 of this report indicates 

direct and indirect costs of malware could be a double-digit 
ige of the revenues of participants in the information and 
lications market. 

octet on market participants 

lollowing brielly illustrates how some key market participants are 
by malware (Eeten and Bauer, 2008). 

f Service Providers (ISPs ) 

i the cost:- aitkl !v\enuc^ of ISPs, and licu.ee their oroliUibiliu , are 



bolnels generating massive amounts of spam, if left uncontrolled, 
iporlimily costs to the tSP. 



level of these opportunity costs depends on the capacity utilisation 
xisting network. If the network has significant spare capacity, the 
lity costs of additional traffic to the ISP will he low. However, if the 

is near capacity utilisation, the opportunity costs may he significant 
mental trial ware -induced traffic may crowd out other traffic in the 
in and require additional investment in network facilities, in 
u routers and transmission capacity, in the medium and long run. 

ware may also affect an ISP indirectly via reduced revenues if its 
tame or customer reputation suffers, for example, because of 
ing and reduced connectivity. ISPs will invest in preventative 
s reducing malware, such as filters for incoming traffic or 
>gy that enable them to quarantine infected customers, only if the 
:ss than the direct and indirect cost inflicted by malware. 

nic-commerce f E-commerce) companies 

inmiercc companies arc affected by malware in a variety of ways, 
ave to deal with DDoS attacks, often requiring them to buy more 
ervices from their ISPs so as to protect the availability of their 
. Furthermore, malware has been used to capture confidential 
r data, such as the credit card information registered with 
rs' accounts with e-commerce companies. Some sophisticated fun ns 
are have been able to defeat the security measures of online banking 
Lt rely on so-called multi-factor authentication - i.e. on more than 
' login credentials. 

n if customer information does not immediately allow access to 
I resources, it can be used to personalise phishing e-mails that try to 
stomers into revealing financial information. There are also cases 
he malware is located on the servers of e-commerce companies, 
lie unaware that their website hosts malicious content that is 
ed to its visitors. Typically, it is the e-commerce customers 
res that are harmed, though directly or indirectly the e-commerce 
y may also be affected. Financial service providers often compensate 
s for their customers. For other companies there can be reputation 



3. MALWAREr WHY SHOULD WE BE CONCERNED? - 71 



,;se vulnerabilities docs not impact the software vendors directly, 
t may have reputation effects and require costly response measures, 
ting, testing and applying vulnerability patches is costly, not only on 
of the vendor, but also for its customers. 

ware developers typically face difficult development trade -oils 
security, openness of software as a platform, user friendliness, and 
tiient costs. Investments in security may delay time to market and 
lave additional opportunity cost in the form of lost firsi-mover 
.vs. (In the other hand, if reputation affects work. Milhvare vendors 
products have a reputation of poor security may experience costs in 
1 of lost revenues. These effects are mitigated, however, by the fact 
ly software markets tend to have dominant firms and thus lock-in 
rs to specific products. 

i name registrars 

islrars have become part of the security ecosystem. Their business 
i and policies affect the costs of malware and of the criminal 
; models built around it. Registrars may derive additional revenues 
■main name registrations, even if they are related to malware, but 
not incur any specific direct costs. Nonetheless, if their domains are 
:d with malicious activity, it may result in an increasing number of 
and informal abuse notifications. Dealing with such abuse 
ions is costly, requiring registrars to commit and train staff, 
ling domains may also result in legal liabilities. 

hermore, many registrars may be ill-equipped to deal with malware 
ration requests. Malware domain de- regis! rat ions can be very 
i to process compared to, tor example, phishing domain de- 
ions, which are normally a clear breach of trademark or copyright, 
xperts report that registrar abuse handling teams will often cite 
ent evidence to process a de -registration request, although evidence 
it for many incident response teams has been provided. Because of 
of legal action where a legitimate domain would be incorrectly de- 
:d, registrars often prefer to support their customer rather than the 
nant. 

of the economic costs that registrars face is proving the identity of 
its. Certain domain spaces (.eoin.au. for example), require strict tests 



■: why sfKirLD wuB[ini\c:;R\];ir. : 



1 users form the most diverse group of players, ranging from home 
) large corporations or governmental organisations. End user 
:s, from home PCs to corporate web servers, are the typical target of 
:. The economic impact of these infected computers is distributed 
he whole value system. Some of the impact is suffered by other 
ilayers, not by the owners of the infected machines, although there is 
ilware directly impacting the owners, for example by stealing 
: information from the compromised machine. 

i of trust and confidence 

lety's heavy reliance on information systems makes the 
ences of the failure or compromise of those systems potentially 

Malware is an effective and efficient means for attackers to 
nise large numbers of information systems, which cumulatively has 
ntial to undermine and crude society's ability to trust the integrity 
Ikienliality of information traversing these systems. The failure to 

adequate protection for the confidentiality and integrity of online 
ons may have implications for governments, businesses and 
;rs. For example, electronic government (e-government) services, 
online filing for taxes or benefits, are likely to include personal data 
.mipromised could be used to commit fraud. Information systems in 
isinesses or large public and private sector organisations might be 

access such e-government or electronic commerce (e -commerce) 

nature of malware is such that it is not possible to trust the 
itiality or integrity of data submitted or accessed by any computer 
npromised by malware. It is often difficult to readily distinguish a 
nised host from one that is not compromised and, as a result, in an 
nent like the Internet, in which malware has taken hold, connections 
fee ted hosts must be treated as potentially suspect. Therefore, the 
o have trust and confidence in online transactions can be further 

because traditional mechanisms fur building (rust and confidence in 
irmation economy such as authentication, encryption and digital 
tes can also be subverted, bypassed or manipulated by malware. 1 ' 

;cenl years, a number of surveys have been conducted which show 



3. MALWARE: WHY SHOULD WE BE CONCERNED? - 73 



:, thus enhancing the economic benefits and efficiencies expected 
: use of these platforms. 

re are other studies, however, which show that the convenience and 
;y of the online channel is driving growth in participation in e- 
ce and e-banking despite these concerns. In 200ft, RSA Security 
:ed the first Internet Confidence Index designed to measure changes 
and European confidence in secure online transactions among 
:rs and businesses (RSA Security. 200ft). At the time, the annual 
ased on data gathered from business and consumer audiences in the 
Mates, the United Kingdom. Germany and France, revealed that the 
ess to transact online was on average outpacing trust and that both 
:es and consumers were absorbing the risks in order to reap the 
of online transactions. 

ie two seemingly contradictory pieces of evidence point out that the 
impact of trust is not yet adequately understood and that indeed it is 
to measure consumer trust and confidence in the online 
nent. However, empirical evidence reveals that e-commerce 
ics benefit greatly from the ability to conduct business online. 8 
le estimated efficiency gains in the financial sector, for example, the 
ings associated with the enormous volume of transactions translates 
;ry powerful incentive to move as much volume of these services as 
online. Repeatedly in the study, e -commerce companies indicated 
irity investment levels were much higher than justified by the direct 
>flen by one or two orders of magnitude (lielen and Bauer. 2008). 
direct losses are not seen as indicative of the overall problem. It 
je much more devastating, for example, if online fraud eroded 
r trust or slowed down the uptake of online financial services. 

critical information infrastructures 

ical infrastructures at the basis of our society, such as power grids or 
.ants, are now often dependent upon the functioning of underlying 
1 networks for their instrumentation and control. Most industrial 
systems that both monitor and control critical processes were not 
1 with security in mind, let alone for a globally networked 
nent, but are now increasingly being connected, directly or 
v (through corporate networks), to the Internet and there lore face a 



I: WHY SHOULD WE BE CONCERNED^ 



potential lo impact the public and private sectors and society as a 

re have been a lew cases where attacks using inaiware have directly 
ectly affected critical information infrastructure. For example, in 
malicious hackers used a Trojan to lake control of a gas pipeline run 
irom (Denning, 2000)- In .January 2003 the "Slammer" worm, which 
major problems lor IT systems around the world, penetrated the 
nonitoring system at a US nuclear plant for nearly five hours 
1, 2003). The US Nuclear Regulatory Commission investigated the 

and found that a contractor established an unprotected computer 
:on to its corporate network, through which the worm successfully 

the plant's network (US Nuclear Regulatory Commission, 2003). 
icently, the United States indicted James Brewer for operating a 
)f over 10.000 computers across the world, including computers 
at Cook County Bureau of Health Services (CCBHS). The malware 
he infected computers to, among other things, repeatedly freeze or 
y'ithout notice, thereby causing significant delays in the provision of 
services and access to data by CCBHS staff.'' 

lough governments are often reluctant lo disclose instances of attack 
the critical infrastructure, it is apparent thai protecting the 
lion systems that support the critical infrastructure has become 
igly important. Despite only a few reported cases, il is widely 
tod that critical information systems are vulnerable to attack. For 
■. although the 2003 blackout in the northeast US and Canada was 
d lo a software failure, analysis of the incident demonstrated that the 
were vulnerable to electronic attack, including through the use of 



o fighting malware 

ecting against, detecting and responding to malware has become 
:igly complex as malware and the underlying criminal activity which 
rts are rapidly evolving and taking advantage of the global nature of 
"net. Many organisations and individuals do not have the resources, 
expertise to prevent and/or respond effectively to malware attacks 
associated secondary crimes which flow from those attacks such as 
theft, fraud and DDoS. In addition, the scope of one organisation's 



3. MALWAREr WHY SHOULD WE BE CONCERNED? - 75 



and finding ways lu block Ilium, bul notes that this is almost an 
lie task, with about 200 new samples per dav and "rowing (Greene. 
Another company reported it receives an average of 15 000 files - 
lany as 70 000 - per day from their product users as well as CSIRTs 
;rs in the security community (OECD. 2007b). When samples and 

i eeeiv ed, M.'curilv companies undertake a pi oces.s lo determine if the 
ideed malicious. This is done bv gathering data from other vendors, 
ing automated analysis, or by conducting manual analysis when 
ethods fail to determine the malicious nature of the code. One 
.-Militated thai each iteration of this cycle takes ah ml -10 mi mites and 
y release an average of 10 updates per day (OECD, 2007b). 
nore, there are many security vendors who all have different insights 

;t security technologies such as anti-virus or anli -spvwarc products 
alure-based meaning they can only detect those pieces of malware 
h an identifier, known as a "signature" already exists and have been 
:1. There is always a lime lag between when new malware is released 
kers into the "wild", when it is discovered, when anti-virus vendors 
their signatures, and when those signatures are dated onto users and 
ilions' information systems. Attackers actively seek lo exploit this 
I' heightened vulnerability. It is widely accepted that signature based 
s such as anti-virus programs are largely insufficient to combat 
complex and prevalent malware. For example, one analysis 12 that 
; antivirus detection rates for 17 different anti-virus vendors reveals 

ii average, only about 48.16% of malware was detected, 
.lanlial evidence such as this indicates that attackers arc actively 
lew malware creations against popular anti-virus programs to ensure 
/ undetected. 

iddiiion. malicious actors exploit the distributed and global nature of 
rnel as well as the complications of law and jurisdiction bound by 
ial physical boundaries to diminish the risks of being identified and 
:ed. For example, a large portion of dala trapped bv attackers using 

iv have taken legislative action to help reprimand criminals, not all 
al frameworks that support the prosecution of cyber criminals. 13 The 



enforce men I agencies throughout Ihe world have made efforts to 
:e cyber criminals. For example, the Computer Crime and 
ual Property Section of the US Department of Justice has reported 
ecution of 1 lb computer crime cases from 1998 - 2006. 14 Although 
latistics on arrests are hard to determine, one company estimated 
de arrests at 100 in 2004, several hundred in 2005 and then 100 

2006 (Greene. 2007). While these eases did not necessarily involve 
s, they help illustrate the activities of the law enforcement 
lity. It is important to note that the individuals prosecuted are 
responsible tor multiple attacks. These figures are low considering 
■alenee of online incidents and crime. They highlight the complex 
.es faced by law enforcement in investigating cybercrime. 

hermore, the volatile nature of electronic evidence and the frequent 
ogged information can often mean that evidence is destroyed by the 
v enforcement officers can get the necessary warrants to recover 
:nt. The bureaucracy of law enforcement provides good checks and 
i, but is often too slow to cope with the speed of electronic crime. 
ially. incident rcspondcrs often do not understand the needs of law 
nent and accident ly destroy electronic evidence. 

ay. the benefits of malwarc seem to he greater lor attackers than the 
undertaking the criminal activity. Cyberspace offers criminals a 
imber of potential targets and ways to derive income from online 
It also provides an abundant supply of computing resources that can 
essed to facilitate this criminal activity. Both the malware and 
nised information systems being used to launch the attacks have a 
t, are readily available and frequently updated. High speed Internet 
:ons and increased bandwidth allow for the mass compromise of 
;ion systems that renew and expand Ihe self sustaining attack 
By contrast, communities engaged in fighting malware face 
js challenges that they cannot always address effectively. 



3. MALWAREr WHY SHOULD WE BE CONCERNED? - 77 



Notes 



201)4 report from the U.S. Joint Council on Information Age Crime 
owed that 36% or less of organisations polled reported computer- 
latcd crimes to law enforcement. See US Joint Council on Information 
>e Crime (2004). p. S. 

this case, direct damages refer to labour costs to analyse, repair and 
;anse infected systems, loss of user produeti\ ity. loss of revenue due to 
-s or degraded performance of system, and other costs directly incurred 

the result of a malware attack. Direct damages do not include 
eventive costs of antivirus hardware or software, ongoing personnel 
sts for IT security staff, secondary costs of subsequent attacks enabled 
■ the original malware attack, insurance costs, damage to the 
ganisalion's brand, or loss of market value. [Note: Issues include 
nited sample sizes, limited responses, inability to accurately estimate 



Chapter 2 for a more detailed discussion of how malware may subvert 
;e security technologies and counter-measures, 
itralian Government. Office of the Privacy Commissioner (20041; 
isumer Reports WebWatch (2005), Gartner (2005); RSA Security 



■: why sfioixi) wLiB[;ni\c:;R\];ir. : 



JS v. James Brewer", United Stales Di-iria C\>uri Nonbeiu Dislricl of 
inois Easiera Division (2007), 

recent OECD report. The Development of Policies to Protect the 
-Meat Information Infrastructure, highlights this point. See OECD 
008c). 

S.-Canada Power System Outage Task Force (20(13), p. 1 31 . 
formation provided to the OECD by CERT.br, the national CSIRT for 

ic vvvh-itc provides ;] survey t>f cybercrime legislation that documental 
countries with some existing cybercrime law. See 
tp://ww\v.cybercniiii'ht\v./ici/iii(tex.htmL 

lited States Department of Justice Computer Crime & Intellectual 
operty Section (2007). 



fl. THE ECONOMICS OFMALWARE - 79 



Part II. The Economics of Malware 



hel J.G. van Eeten 1 and Johannes M. Bauer 2 
ntrihiilUms from Mark du Bruijni;, Tilhi Challopadhyay, Wolter 
, John Groenewegen. and Yuehua Wu 



lalware is a product of criminal behaviour, its ultimate magnitude 
met are influenced by the decisions and behaviour of legitimate 
participants, such as: Internet Service Providers (ISPs), software 
. e-commerce companies, hardware manufacturers, domain name 
rs and, last but not least, end users. Part II of this book presents 
: ve empirical research into the incentives that drive the security 
s of Internet market participants. The results of this research 
a number of market-based incentive mechanisms thai contribute to 
d security. But there are also instances in which decentralised 
may lead to sub-optimal outcomes - i.e. where the consequences of 
ate security measures are ■'externalised", or borne by others in the 

if this book is an edited version of an original OIX'D working paper 
'.d "The Economics of Malware ", the content of which is available 
//dx. doi. org/10. 1 787/24144023062!. 



ilty of Technology, Policy and Management, Delft University of 



4. CYBERSECURITY AND ECONOMIC INCENTIVES - 81 



pter 4. Cybersecurity and Economic Incentives 



urve/by the OECD (2005a) demonstrates that governments have 
;d national policy frameworks, as well as partnerships with the 
sector and civil socictv. to combat cybercrime. Measures include 
er Security Incident Response Teams (CSlRTs). raising awareness, 
lion sharing and education. 

improving cybersecurity is not a straightforward problem, 
standing rapidly growing investments in .security measures, it has 
clear that cyhersecuritv is a technological arms race that, for the 
He future, no one can win. Take spam, for instance. Several years 
called open e-mail relays were a major source of spam. ISPs and 
tors developed measures, such as blacklisting, to collectively combat 
ays. By the time adoption of these measures reached a critical mass, 
rs had already shifted their tactics. As a result, the significant 
n in the number of open relays had hardly any impact on the amount 
. The list of such examples goes on and on. 

le many would agree that cybersecurity needs to be strengthened, 
ctiveness of many security measures is uncertain and contested, 
nore, security measures may also impede innovation and 
vity. Those involved in improving cybersecurity sometimes tend to 
<l that the reason why the Internet is so susceptible to security threats 
ly its openness - is also the reason why it has enabled an 
inary wave of innovation and productivity growth. 

le Internet world, the benefits of productivity growth often outweigh 
s of innovation - as in the ease of online credit card transactions, 
e start of moving their business online, credit card companies have 
d with risino fraud However this has not stonne.d them from 



:UR[TY AND ECONOMIC INCENTIVES 



and Carter, 2005). Ralher Ihan implementing far-reaching security 
s thai would restrict the ease of use of their systems, credit card 
ies have adopted strategies to tight instances of fraud, up to the point 
re costs of further reductions in fraud start lo exceed the benefits: 
i avoided. 

'his mams lluil total sectirilv is neither achievable nor desirable. In 
i, actors need to make their own tradeoffs regarding what kind of 
measures they deem appropriate and rational, given their business 
Clearly, business models vary widely for actors in the different 
af the complex ecosystem surrounding information systems and 
s — from ISPs at different tiers lo soil ware providers of varying 
ions, to online merchants lo public service organisations and to end 
II of these actors experience malware differently, as well as the costs 
efits associated with alternative courses of action. In other words, 
stances of what could be conceived as security failures are in fact 
□me of rational economic decisions, reflecting the costs and benefits 
:d by the actors during their decision-making timeframe. 

tt is needed, then, is a better understanding of these costs and 
from the perspective of individual actors and of society at large, 
f this report sets out to identify the incentives under which a variety 
net market participants operate, and lo determine whether these 
,'s adequately reflect the costs and benefits of security for society - 
ther these incentives generate externalities. To address these issues, 
ings are presented of a recent research project on incentives that 
lelp lay the groundwork for future policymaking. 

cus on incentive structures 

■arch in the field of i vhersei ttritv is tmder»oin» it major pantdiiint 
are and more researchers are adopting economic approaches to study 
:urity, shifting emphasis away from technological causes and 
s. Most of this innovative research has yet to find its way into the 
'policy makers, let alone into the policies themselves. While reports 
OECD survey on the culture of security (OECD, 2005a) generally 
:e that cyhersecurity is more than a technological issue, the proposed 
s are still mostly oriented in that direction: developing technological 
:s and efforts to stimulate their adoption. The technological 



4. CYBERSECURITY AND ECONOMIC INCENTIVES - 83 



k 4.1 OECD Guidelines and the Economics of Cyhersecurity 

302, (he OECD released the Guidelines for the Security of Information 
: and Networks (OECD, 2002a). A set of nine non-binding guidelines aim 
note "a culture of security" - that is, "a focus on security in the 

:ing and behaving when using and interacting within information systems 

The guidelines reflect the shared iindersianding of OECD member 
:s as well as a variety of business and eon sum cr organisations. 

Guidelines for the Security nf Information Systems and Networks 



id networks and what they can do 10 enhance security, 
isponsibility 

II parlicipanls arc responsible lor Ihc security of information systems and 

:tworks. 

ssponse 

irticipants should act in a timely and co-operative manner to prevent, 

:leet and respond to security incidents. 

flics 

n'licipaiils should respect the legitimate interests of others. 

emocracy 

le security of information systems and networks should be compatible 
ith essential values of a democratic society. 



trlieipanls should conduct risk assessments. 
:curily design and implementation 

irticipants should incorporate security as an essential clement of 
formation systems and networks. 
;ci icily management 

irticipants should adopt a comprehensive approach to security 

anagement. 

^assessment 

irticipants should review and reassess the security of information systems 
id networks, and make appropriate modifications to security policies, 
actices, measures and procedures. 

■'culture of security" thai the guidelines aim to promote will be influenced 



k 4.1 OECD Guidelines and the Economics of Cybersecurity 
(continued) 

iter 5 provides a mote dcuiiled oisciission of why [his is the case. For now, 
ces to mention a few examples. Take firms' investment in security 
:s.. Research has demonstrated (hat a focus on security may mean actively 
ating in information sharing with oilier firms. Under certain conditions, 
□ally leads to decreased investment levels. Also, a firm taking protective 
;s may create posilhe e.Mcnialilics for others - Ibal is. bandits for others 
: not reflected in the decision by rhnt firm - which may reduce their 
ents to a level that is below the social optimum. 

Iher example is the manufacturing of software. According to the OECD 
lies (OECD, 2002b). "Suppliers of services and products should bring to 
secure services and products." Even if it was clear what the term "secure 
e" means, many software markets do not reward such behaviour. Rather, 
vard first movers - that is, those companies dial arc first in bringing a new 
to market. This means it is more important to get to the market early, 
nan first investing in better security. A final example relates to end-users. 
idelines argue that end users arc responsible for their own system. In the 
malware, however, this responsibility may lead to security tradeoffs that 
inal for the end users, but have negative effects on others. More and more 
e actively seeks to reduce its impact on the infected host, so as not to be 
1 or removed, using the infected host to attack other systems instead of the 
jlf. 

hort: the development of a "culture of security" is very sensitive to 
lie incentive structures. Whether such a culture will actually improve 
security performance requires a belter underslanding of the incentives 
vhich actors operate as well as policies that address those situations in 
nccntives produce outcomes that are not socially optimal. The research 
presented in this Part II of the malware report aims to contribute to this 
king. 



ivithslnnding the necessity of these initiatives, they typically 
{ the economic factors affecting cybersecurity - i.e. the underlying 
ic incentive structure. As Anderson arid Moore (2006, p. 610) have 
"'over the past 6 years, people have realised that security failure is 
it least as often by bad incentives as by had design." Many of the 
s of information security can he explained more clearly and 
ingly using the language of microeconomics: network effects, 
ities, asymmetric information, moral hazard, adverse selection. 



4. CYBERSECURITY AND ECONOMIC INCENTIVES - 85 



he second part of Ihc 1990s, when the scale of virus distribution was 
increasing and counlfcss end users (home, corporate, governmental) 
'ected, many ISPs argued that virus protection was the responsibility 
id users Lhemsclves. The computer was their property, alter all. ISPs 
irgued that they could not scan the traffic coming through their e- 
vers, because that would invade the privacy of the end user. Mail 
:s were considered the properly ot" the end users. 

lit five years ago, litis started lo change, partly due to the growlh ol" 
nd and aJways-on connections. The distribution of viruses and 
lad increased exponentially and now the infrastructure of the ISPs 
i ; es was succumbing to the load, requiring potential^ significant 





Dik expansion. Facing thes. 


: potential costs, ISPs 


i shifted thei 


r position. Within a few yeai 


s, the majority of them 


to scan ino 


aming e-mail traffic, delelii 


ig traffic identified as 


nt, since this 


had become a lower-cost sol 


ution than infrastructure 


>n. De fact, 


j, ISPs re-interpreted the 


various property rights 



;d with e-mail - e.t;. regarding ownership ol" Ihc message. Their 
policies have made e-mail based viruses dramatically less effective 
ack strategy. 



ic perspective 

economic perspective on eybersecurity - and malware in particular - 
a potentially fruitful starting point for future policymaking. That's 
it leads to a locus on market partcipanls' (1) incentive structures 
market externalities, or the consequences of inadequate security 

s that are borne bv other market participants or society in general. 

his chapter and those following, the economic perspective on 
: and eybersecurity are examined, building on the innovative 
efforts of the past six years (for a brief overview of the existing 
see Anderson and Moore, 2007; Anderson et a!., 2008). It is a first 
his direction, and given the complexity of the problem, more work 
oubtedly be needed. 

promising approach is lo complement the existing research with 
talitative field work. Field research is important because there is 
information in the public domain on how Internet market 



:UR[TY AND ECONOMIC INCENTIVES 



Box 4.2 The problem with prevailing research methods 

)r, most of the Interne! related economies research has boon based on the 
s of neo-classical and new-institutional economics. While powerful, these 
s arc based on rather stringent assumptions about how actors behave - 
their rationality, their security tradeoffs and the kind of information they 
ind how they interact with their instilutional environment, 

e key limitations of studies founded on ihcse methodological assumptions 



they often treat issues of institutional design as rather trivial. That is to 
say, the literature assumes that its models indicate u hat market design is 
optimal, that this design can be brought into existence at will, and that 
actors will behave according 10 the model's assumptions. 

: past decade of economic reforms including privatisation, liberalisation 
egulation - have taught lis anything, it is thai designing markets is highly 
:ated and sensitive to the specific context in which the market is to 
i. It eannot be based on formal theoretical models alone. Institutional 
requires an in-depth empirical understanding of current institutional 
es and their effects on outcomes. Even with such an understanding, it may 
possible to fully control the seLup and working of a market as they are in 
icrging from the interaction of multiple actors. However, it should be 
I to nudge the system in the desired direction. 



II presents efforts to: (I) collect evidence on the security tradeoffs 
■ Internet market participants; (2) how those participants perceive the 
es under which ihcv operate; (3) which economic decisions these 
cs support, and (4) Ihc externalities that arise from Ihcse incentive 
;s. The objective of Part II is to contribute to the debate on the 
ics of malware from an empirical and analytical perspective. It is not 
1 to explore and develop detailed policy recommendations. 

pier 5 reports die findings of the Held work. Based on 41 interviews 
1 representatives of Internet market participants, as well as 



4. CYBERSECURITY AND ECONOMIC INCENTIVES - 87 



pier 6 aggregates the research findings and discusses Ihe 
ities that emerge as market participants make incentive -driven 
decisions. In some cases, externalities are borne by market 
mis able to influence the security tradeoffs of those ^eneralins; Ihe 
ities hriiis;] us; the net market impact closer to Ihe optimum. In other 
le externalities are simply borne by market participants or b\ sociel\ 
:. Part II concludes with a summary of the efficiency and 
ional effects of externalities and an overall assessment of the costs 
are. 

annex at the end of Chapter 5 contains a list of the survey 
mis. Annex B at the end of this report describes the survey in detail. 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? - 89 



Chapter 5. Survey of Market Participants: 
What Drives Their Security Decisions? 



icipanls in the Internet ecosystem are confronted with malware in 
I ways; their responses are motivated by the specific incentives 
■hich they operate. To better understand these incentives and their 
a qualitative field research project was designed. In the course of 
e research lean) conducted 11 interviews with .V respondents from a 
'oss-section of organisations. (For more information on the research 
nd the interviewees, please see the list at the end of this chapter and 
J.) 

)W, we discuss the findings on the security-related incentives of five 
nternet segments: Internet Service Providers (ISPs); e-commerce 

registrars; and end users. Interviews were also conducted with 
itatives of organisations governing security issues (such as CERTs. 
ry agencies), representatives from security service providers, and 
;e archers. 

vice providers 

le the term ISP is used to cover a variety of businesses. Lvpically 
ivide individual.*, and organisation:, with access to [he Internet. Many 
fer related services to their customers, which is why the term 
les also refers to hosting, providers and content providers. For the 
; of this study, we focus our aualy^ primarily on ISPs that provide 
access. 

role of ISPs in improving Internet security has been the focus of 
■cent debates. That's because it has proven extremely difficult to 



FMAR SET PARTICIPANTS; WHAT [>UIVE;STI [fill! StX'URITY DECISIONS? 



■ably lower - Trend Micro published a figure of 7% llliggins 
Nevertheless, even these lower estimates imply lens of millions of 

nised machines. Given the enduring problems around end-user 
and ils effects on the wider network, it seems inevitable, thai 

i would shift to other players in the ecosystem. 

it incentives do ISPs have to reduce the problem ol malware? One 
very few, if any. Recently, the UK House of Lords Science and 
ogy Committee published a report which slates: "At the moment. 
1 ISPs could easily disconnect infecled machines from their 
s, there is no incentive for them to do so. Indeed, there is a 
live, since customers, once disconnected, are likely to call help-lines 
; up the time of call-centre staff, imposing additional costs on the 
louse of Lords 2007a, p. 30) 

: may unwittingly reinforce the impression that they have few, if 
entives to improve the security of their services. During the inquiry 
to the House of Lords report. ISPs argued that the current approach 
egtilation should not be changed. The resistance of most ISPs to 
d government involvement led the committee to conclude that the 
.■re simply maintaining the status quo, rather (nan reducing Ihe 
. The latter, however, does not follow from the former. The 
;c to government involvement does not mean that ISPs arc not 
rg their efforts to fight malware. In fact, the committee itself also 
idence from an ISP who in fact disconnects customers whose 
;S had been infected and then helps them back online. A survey from 
s European Network and Information Security Agency found that 
ISPs report thai lhe\ quarantine infecled machines (EN IS V >0()b). 
ure does not include any indication of the scale at which ISPs are 
ning infected machines - a point to which we return in a moment, 
dence does, however, clearly question the earlier statement by the 
ee - and others - that ISPs have no incentives to disconnect infected 
:s. Either the statement is wrong, or ISPs are assumed to behave 
illy. Our evidence suggests Ihe former. 

ISPs we interviewed described substantial efforts in the fight against 
U even though Ihey are operating in highly competitive markets and 
no governmental regulation requiring them to do so. All of them 
^ing measures that were unheard of only a few years ago. Most of 
view ; ees dated this change to around 200.1. when it became obvious 



5. SURVEY OFMARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? -91 



■entives 

'customer support ami abuse management 

.indersiatiding of these incentives could start with this statement by a 
officer of a smaller ISP: "The main [seeurily-ielaled| cost for ISPs 
mer calls." The same view was expressed with minor variations by 
other interviewees. A medium-sized ISP told us that an incoming 
their customer centre costs them EUR 8 on average, while an 
2 call for example, to contact the customer regarding an infected 
; - costs them EUR 16. The costs lor e-mail were similar. When we 
ed these numbers during subsequent interviews with other ISPs, 
[firmed that their costs were in the same range. 

incentive here is that security incidents generate customer calls, 
ckly driving up the costs of customer care. The ISPs may not be 

responsible for the customers' machines; in reality many customers 
ir ISP whenever there is a problem with their Internet access, 
^ss of the subsequent response of the ISP, these calls increase their 
n interviewee at a large ISP told us that their customer support desk 
iibsiantial cost for the company, and that the number of calls was 
p by infections of their customers' machines. He further added that 
Jl of their outgoing security-related calls had to do w ith malware. 

course, many forms of malware do not manifest themselves 
y to customers. Nevertheless, as security problems rarely come 
ix security generally tends to increase customers calls. Furthermore, 
customers have not noticed anything wrong, their compromised 
:s may generate abuse notifications to their ISP from other ISPs who 
incoming spam or malware from (he customer's IP address. Similar 
mer contact, dealing with abuse notifications drives up costs because 
es trained staff Tolerating more abuse on the network raises the 
of notifications that have to be investigated, responded to and acted 

ing it altogether, until the problem gets resolved. All the ISPs we 
,ved have procedures in place for handling abuse notifications and do 
liter and suspend connections, though with varying frequency. All of 
;o mentioned a small number of cases where extreme forms of abuse 
e termination of the contract. 



F MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? 



; form. Many of these notifications arc automated. Several ISPs 
using the so-called AOL Feedback Loop, which sends notifications 
3-mails that are reported as spam hy AOL recipients hack to the 
Iratorof the originating IP address. 

.villi customer complaints, not nil ma] ware infections will result in 
titiiicalions. One ISP reported internal research into the degree to 
(Hifications adequately represented the size of the .security problems 
r networks. They found that only a small percentage of the 
nised machines they saw on their network showed up in the 
ions. Still, ISPs notifying each other of security problems is an 

.[i countries. ISPs have interpreted the stringent privacy regulations 
that .substantially limit their ability to monitor their own network. In 
ses, they rely heavily on notifications coming in from other ISPs, 
len allow them to initiate their own investigation. For the ISPs we 
ved, customer contact and abuse notifications are a strong incentive 
t in security both at the network level, as well as at the level of the 
r. One medium-sized ISP estimated they were spending 1-2 % of 
'erall revenue on security-related customer support and abuse 
nent. This also helps to understand why more and more ISPs are 
"free" security software or "free" filtering of e-mail - that is, the 
" these services are included in the subscription rate. One ISP 
d how about four years ago they started offering virus filters for e- 
i paid service, but soon thereafter decided to provide them for 'free' : 
ix months, all ISPs [offered these paid security services], so it was 
:r a unique selling point. Plus, we could not get more than 10 % of 
omers to buy the service... We did not actually do the math, but we 
that by offering it to all our customers within the current rate, we 
ie better off.... We already paid the AV license. If people have the 
~i pay for it or not to pav for it, they do not." 

re is another way of responding to these incentives, however: Don't 
to abuse notifications and avoid customer contact altogether. A 
ISPs is doing exactly this. What is stopping other ISPs, including 
i we interviewed, from doing the same'.' Here, we came across two 
.ted relevant incentives: blacklisting and brand damage. 



f blacklisting 



5. SURVEY OFMARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? -93 



of blacklists available and ISPs may use them in different 
itions. 

ording lo many interviewees, most ISPs use blacklists nowadays. 

the lists are free and run by volunteers, though their operations may 
:.d through external sources. Each DNSBL has its own criteria for 
g an IP address in the list and its own procedure for gelling an 

off the list. Spamhaus, an international non-profit organisation 
[trough sponsors and donations, maintains several famous blacklists 
h they prefer the term block lists - which they claim arc used to 
>ver 600 million inboxes. One of their lists contains (he addresses of 

in <> I I'Niii . | I | . .[■-• i | .... 

services"; another list focuses on botnets, which run as open 

iiould be noted at this point that blacklisting, while potentially 
1, has drawn its own criticisms - regarding, among other things, 
sm of blacklist operators, listing false positives, the collateral 
that may come with blacklisting certain IP addresses or ranges, and 
ncial motives of some list operators. Furthermore, blacklists have 
from legal threats; in some cases, spammers on occasion were 
ill in obtaining court verdicts against being blacklisted {e.g. 
an. 2006: Heidrich, 2007). Wilhin this report we focus on how 
ing works as an incentive for ISPs. 

:klisting provides an incentive to invest in security because it ties in 
: incentives mentioned earlier. One interviewee at a medium-sized 
us about a security incident where 41° spammers set up over 1,000 
iceounts within their domain and then started pumping out spam, 
t the ISP's outbound mail servers blacklisted, which resulted in 30 
s to their customer centre by customers who noticed their e-mail was 
'r being delivered. Thai number does not include the incoming abuse 
ions, of which there were "even more". After this incident, the 
v changed the procedure through v. Iiicli new customers can set up e- 
ounls: Ihev invested millions in equipment Lo monitor their network: 
y started blocking port 25. *'It took us years to get a procedure 
d lo be able to block port 25. Il costs nothing. But the business units 
want us lo be able lo shut il down, because of Iheir clients. They now 
uid that it is in the interest of their clients, to avoid blacklisting." 



F MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? 



the customer does not resolve Ihe problem, the eonneetion is 
ed. When asked how they got the business side of the company to 
this policy, he answered: 

;y hated it at first. But at the end of the day, the media fallout by 
it off by AOL and MSN is too big. The big ISPs, they use very 
vc |DNSBL| listings. They lake out whole IF ranges. We used to be 
and entire ranges of our IP addresses were blacklisted." 
re are various level:, of blacklisting used to incite a response from an 
the lower end, we find blacklisting of individual IP addresses, i.e. an 
al customer. This has "exactly zero impact on the ISP," said a 
expert. Only when they start to accumulate, might they get the ISP's 
i. The expert explained that ISPs mostly ignore listed individual IP 
:s, because of the costs of dealing with them - e.g. customer support 
:cause the IP addresses gets taken off of the blacklist as spammers or 
* move on to other infected machines. After a few months, the level 
; infected machines on the ISP's network might be equally high, but 
fferent set of individual IP addresses that are now blacklisted. 
:klisling IP ranges and the blacklisting outbound mail servers are a 
■werful incentive. These typically do get the ISPs attention and lead 
dial action on their end, although it varies whether or not the ISP 
vigilant. The most extreme form is blacklisting an entire network, 
1 addresses of an ISP. This is only used against semi -legitimate ISPs 
lot act againsl spam and known spam-havens. 

f brand damage and reputation effects 

"media fallout" mentioned previously by an interviewee indicates a 
:neral concern wilh brand damage thai was mentioned by many 
,vees as an incentive to invest in security. With few exceptions, these 
nt lo present themselves as responsible businesses (Arbor Networks, 
"oviding sale services lor their customers. 

elated incentive is the reputational benefits of offering security 
. The increasing attention on Internet security - or rather, to the lack 
- is creating demand for such services. One interviewee said: "The 
ik us for 'clean pipes.' We do not know what that means exactly, but 
us anyway. We're looking into what we can do for them." The past 
.ve witnessed the emergence of managed securilv service providers. 



5. SURVEY OFMARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? -95 



I" security may be a significant factor. For the consumer market, 
lervicwecs argued Ihat customers care about price first and foremost 
s. Internet access is marketed primarily on price. Furthermore, even 
Jo care about security, most customers will find il very difficult to 
lie security performance of one ISP relative to its competitors, 
eless, the more significant finding here is that whether ISPs really 
ml bad publicity or not, being blacklisted has direct effects on (heir 
g costs, as well as their quality of service. The latter may in fact 
is tomers away. As one industry insider described it: "A high cost 
; to investigate each complaint rigorously. A different kind of high 
on is to do nothing." 

[infrastructure expansion 

incentive Ihat was more difficult to gauge, is the effect of malware 
capital expenditures of the ISP - that is, the need to expand 
icture and equipment as more spam or malware comes through the 
. A recent survey found that in Hue [-based denial of service attacks 
zing faster in size than the ISPs are expanding their network - which 
ing the ISPs (Arbor Networks, 2007), 

-estingly, infrastructure expenditures - apart from the costs of 
equipment - were haidlv identified during interview?, as malware - 
:osts. a point to which we return shortly. As was mentioned earlier, 
,vees pointed to customer contact as the highest security -related cost, 
sked about infrastructure, a Chief Technology Oflicer answered: 
twork is not affected. We have overcapacity to deal with DDoS. So 
at the problem." 

mother ISP, the Chief Information Security Officer told us: "We 
to have overcapacity of the network, so the growth in spam did not 
lis to expand the capacity." To which one of his colleagues added: 
: number of servers has increased, though. " ( Hhers have argued that 
me of malware and spam-related traffic pales c< impaied to the traffic 
leer-to-peer networks and video streaming sites such as 
■e.com. We should add, however, that the presence of overcapacity 
lect the fact Ihat we only interviewed ISPs in selected OECD 
s. It may be different in other regions. 

;n we presented these findings to an expert in the economies of 



r MARK]:TPARTifM>.-\NTS:wi:A-"[)Kiv[;sTii::iK -irncTY i>i;nsio\s' 



-related customer support. To them the infrastructure cost "is just a 
their accountant writes on a check every month." 

✓ever, in Iras true lure is Ihe main overall cosl for any ISP, so any 
f inalware on capital expenditures could potentially outstrip other 
lures. These costs do not gradually increase with the amount of 
! and spam, but rather as a step function when capacity runs out. If is 
fieult to relate these expenditures hack to specific traffic patterns of 
d malware infections. Only higher up in Ihe organisation are people 
iition lo compare the relevant numbers, although at that level the 
■y security expertise and data is often missing. The interviewee 
hat there are reall\ three groups of people who all see a part of ihe 
, without being able to cross-connect it: "One group is dealing with 
'. one group is dealing with the capital expenditures and engineering 
il and another group is dealing with handling Ihe money." In terms 
itives, however, this lack of awareness implies that infrastructure 
lot a strong driver of the attempts of ISPs to reduce the impact of 



i of maintaining reciprocity 

incentive that was mentioned by all interviewees is related to the 
I networks of trusted security personnel across ISPs, CS1RTS and 
H'gniiisjilions - which we mentioned earlier. When describing how 
Utilisation responded to security incidents, interviewees would refer 
>nal contacts within this (rust network that enabled them, for 
:, to get another ISP lo quickly act on a ease of abuse. There is not 
>rmal network, but rather several overlapping ones. An ISP may 
h a contact at a national CERT in another country so as to get in 
ith the relevant person at an ISP in that country. These contacts are 
al. They are also contacted about abuse in their own network and are 
i to act on thai information. The incentive is that lo maintain 
ity, an ISP has to treat abuse complaints seriously, which is costly, 
re abuse takes place on its network, the more other contacts in the 
will ask for intervention. 

ntaining reciprocity not only establishes the informal network as a 
resource, it also reduces the likelihood of being hit with blacklisting 
countermeasures. As one interviewee explained, "when we get in 
ith service providers, we're savins, uet this lhiv off the network or 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? -97 



i leeway lo deal wilh security issues before significant blacklisting 
One ISP security officer told us that these informal contacts imply 
ings. Less staff time is needed to deal with the fallout of a security 
- e.g. going through time-consuming procedures to get off 
:s - and to deal with customer support. 

incentives 

far we have discussed incentives that reinforce the benefits of 
for ISPs with regard to malware. The incentive structure is mixed, 
\ and includes disincentives as well. An obvious disincentive is the 
additional security measures. Typically, the trade-off is between the 
Lists of additional measures, which are visible in the shot! term, 
le costs generated by increasing security problems, such as customer 
and abuse management. A security expert at a large ISP told us that 
.igcment it is dif ficult lo estimate the amount of money the company 
e with a technical solution which is supposed lo reduce the costs of 
e desk or call centre. Another interviewee added that a complicating, 
as that managers had encountered over-promising security providers 
:1 them 'magic boxes' that were supposed lo solve everything. 

should mention, however, that the ISP's decisions often were not 
by formal economic assessments or detailed analysis of their own 
ictures. As one insider phrased it, "ISPs very much drive by the seat 
pants. L'xcept for a very few of Ihc largest ones, they are not actually 
ng the figures." When we asked how certain investments or 
s were approved, the "business case" that supported them was 
/ rather commonsensical in nature, including rough estimates of 
>sts and benefits, with Ihc indirect ones not monetised or otherwise 
1 in any amount of detail. 

interviewee told us that when considering security investments, 
»k at the cost of not doing it" for which they produce rough 
s. Another ISP explained to us how they decided to set up a so- 
'walled garden experience' for infected users. Rather than 
x'ling these users completely, the 'walled garden' provided them 
cess to security tools and Windows Update. A security officer 



F MARKET PARTICIPANTS; \VI SAV [>UIV[;s Tl [EilR SECURITY DECISIONS? 



isks it nd constraints 

■ther disincentive is related to legal constraints. During the 
MS, the European ISPs had different answers to the question on how 
lanoeuvring space Ihc ' mere conduit' provision of the EU E- 
rce Directive allowed them. Monitoring their network more closely 
lit; reasons could potentially lead (o liability issues, sonic of Hie 
wees felt. In some EU countries, interviewees reported that privacy 
ins that potentially treat IP addresses as private data had led their 
partments to set boundaries which affected the ability of the security 
track malicious activity on their network for example with regard 
ng individual IP addresses. 

interviewee reported thai security still I sometimes were not allowed 
nfomiation on malicious activity detected on the network. When 
iout the limits of the 'mere conduit' provision, one security officer 
id that they never encountered these limits, because the privacy 
ins were much more constraining. Rather than monitoring their own 
. this particular ISP could act on incoming abuse notifications lor 

IP addresses and it relied heavily on this procedure. In a sense, the 
i monitoring its own network through the incoming notifications 
ler ISPs, CSIRTs and the like. 

where there have been reports over liability issues around 
neasures. such as discarding the command and control traffic of a 
ii" diverting it to where the bolnel s behaviour can be studied more 
(lliggins. 2007a). According to a security researcher "it involves 
; with a customer or peer's Internet address space... Obviously, 
in this area could be considerable." A security manager at a 
n ISP said "infiltrating is very risky and gelling legal support for 
Hers, very difficult." 

ic legal experts argued thai these legal risks are non-existent, that 
based on an incorrect understanding of current legislation - e.g. that 
data protect ion legislation does not at all conflict with network 
ing and other security measures. While that might be true, the reality 
ie legal departments of some ISPs apparently interpret the situation - 
mistakenly - as rather ambiguous. These ISPs tend to be rather risk 
n dealing with this ambiguity. The transaction costs of clarifying 
;ues are, ceteris paribus, an obstacle to higher security. 



5. SURVEY OFMARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? -99 



; business side of Iheir company initially opposed die security 
to block port 25. They did not want to inconvenience their 
rs. Anything that might turn people away is a problem, because the 
icuuisilion of new customers is high. The burden of proof fell on the 
staff to convince management that the proposed measures were 
ig the brand- Other ISPs also mentioned going to great lengths to 
asing customers while managing abuse. That might limit Ihe 
;ness of their response to security incidents. 

ESRi 

ie of the security-enhancing incentives discussed above work as 
tives under different business models than those of the ISPs we 
wed. When dealing with abuse complaints becomes too costly, one 
er reduce the amount of abuse on the network or one can reduce 
nent of abuse - i.e. become less responsive to the complaints 
res. The same holds for customer support. In fact, such a lack of 

could be part of the business model. It may. for example, allow an 
x cheaper than its competitors. One ISP indicated that a certain 

of its customers was actually "mini ISPs" which predominantly 
hosting services. The mini ISPs' retail prices were significantly 
lan those of the upstream ISP from which they bought access, 

they provided very limited support functions. Some of these mini 
tuld not patch Iheir servers properly, thus becoming an easy target 
vare. They were not very responsive to abuse complaints either. Our 
,vee, being an upstream access provider, would then be contacted by 
Ps to lake action against the mini ISP. 

■ther business model is sometimes referred to as "■rogue ISP" or ISPs 
, in the words of one interviewee, "decidedly grey". These attract 
rs precisely because of their lax security policies. While these ISPs 
ire disincentives for improving security than the ones interviewed, 
not fully immune to some of the security-enhancing incentives we 
d earlier, most notably blacklisting. As one interviewee explained: 
ire some ISPs in our country that are decidedly grey. They will lake 
and take no action against abuse. People will go there and then they 
vc again, because they are unreachable (because of blacklisting]." 
.igue business models are eventually affected by blacklisting, 
ily, a Ukrainian ISP started answering our abuse reports," the 



OF MARKET PARTICIPANTS- WHAT DRIVES THEIR SECURITY DECISIONS? 



a provider who is in fact security conscious and sensitive lo ihe 
es discussed earlier, such as maintaining reciprocity and 
:ing. In the example of the mini ISPs, their upstream provider forces 
i deal with abuse complaints, because it reflects badly on the 
n provider if they do not. Beyond blacklisting, there is also de- 
- that is, an ISP may disconnect from a misbehaving ISP at an 
exchange point. For the ISPs we interviewed, this is not an 
it incentive, because de-peering for security reasons is typically only 
:d against rogue ISP.s, not among regular ISPs. De-peering forces the 
scted ISP to buy transit service for its traffic, which implies much 

try of ISP incentives 

balance between incentives and disincentives will vary depending 
SP. On the whole, recent years have witnessed increased efforts by 

dealing with malware, even in the absence of regulation or other 
)f public oversight. The incentive mechanisms we discussed 
en the ISP's own interest to internalise at least some security 
ities originating from their customers, as well as from other ISPs. In 
he current incentive structure seems to reward better security 
ance for legitimate market players - though it is sensible to keep in 
lat in many countries price competition is intense, which is a 
live with regards to security, other things being equal. 



entires to confront malware 


Disincentives 






• Costs of se 


urity 




• Legal restra 






• Costs of cu 


tomer acquisition 


lain Lulling reputation and 






mi tin a brand damage 







-ey considerations for ISPs 

ition 



5. SURVEY OF MARKET PARTICIPANTS: WHAT DRIVES THEIR SECURITY DECISIONS? - 101 



it-ally generated a lisl of" 2 500 IP addresses a day of" customers who 
ime form of security problem. When these cases hit a certain 
d, they would he automatically quarantined to only have access to 
's Updates and a range of security services. 

Ic the technologies to automate the process ol quarantining would 
scale up the ISPs response, it also brings into locus a critical 

ck: the costs of customer support would become prohibitive if all 
machines were to be quarantined. A security officer at a large ISP 

d that the number ol" customers that would be affected at any lime 

e in the tens of thousands. While this number might go down over 
network security improves, it was obvious that the business side 

ot accept the cost impacts of such a measure. 

ically, the number of machines that are isolated on a daily basis is 
y modest - tens or, for large ISPs, perhaps hundreds of machines. At 
:I, the effort is effective in that it reduces the ISP's problems with 
nd blacklisting. But compared to estimates of the total number of 
is on each network, these efforts look rather pale. When asked to 
iie ratio between the actual number of infected machines on their 
and the number of machines for which Ihey receive abuse 
ions, most interviewees estimate that the ratio is quite low. Only a 
:rcenlage ol these machines would show up in abuse noiilieations 
dealt with. One interviewee called this "the two percent rule." A 
expert was highly critical of the effectiveness of the efforts by ISPs: 

they are contacting more than 10 9c of their customer base on a 

basis, they are effectively taking no action". 

it of ISP incentives 

;lated issue is that the incentives of ISPs do not reflect the whole 
f current malware threats. ISPs are predominantly sensitive to 
; that manifests itself in ways that make their customers call in, leads 
: notifications or that causes problems with blacklisting. Thai means 
oxies and DDoS (denial of service) attacks attract attention and raise 
hile spyware, for example, does not: '"People get infected and it is 
ficult to track them. Spam and DDoS is noticeable at the network 
ut spyware stays on the computer, quietly collecting data." Others 
;ued that many ISPs are failing to prohibit the forging or spoofing of 
:sses bv hosts as well as failing to filler ouliioins: traffic from IP 



OF MARKET PARTICIPANTS- WHAT DRIVES THEIR SECURITY DECISIONS? 



machine. Even then, the situation is often anything but 
"orvvai'd. "The issue is, how do you help ihc people who arc infected, 
e current state of the security products in the market place ? We see 
ie. we know there's something wrong, but how do vou find what it is 
current products'.' It's very hard... Ahout 85-90% of the malware is 
gnised hy AV products, because a small change is enough to dodge 
iture." 

; with rogue ISPs 

Hier important caveat is that there are classes of ISPs for which the 
es to improve security are too weak, or which even have strong 
tives to improve it, as discussed above. The ISPs we interviewed 
: existence of such ISPs as a fact. Because it is possible for rogue 
slay outside the reach of legislation and law enforcement, they arc 
be present for the foreseeable future. The ISPs we interviewed have 
to live with the presence of the rogue and semi -legitimate ISPs, 
ive found that they are able to operate quite effectively in this 
nent through a combination of tactics, including those mentioned 
such as informal contacts that address upstream providers and 

ie mind of ISPs, no matter what policies, governance structures or 
es are put in place there will always be some providers, outside or 
leir own jurisdiction, who will be a source of malware and other 
' abuse. Once this is accepted, then it is also accepted that an ISP has 
defenses and develop procedures for dealing with attacks. "You will 
liave to accept a certain level of noise, that is, of evil. You try to 
lelow a certain threshold of irritation" said a security officer. This is 
the reasons why many ISPs are not impressed by proposals to 
some set of baseline or best security practices for ISPs. One such 
I was under development by the Dutch electronic communications 
r OPTA but it was shelved for the time being after significant 
k regarding the legal basis for such regulations. The recent report of 
House of Lords Science and Technology Committee (2007a, p. 31) 
'ocated making "good practice... the industry norm[, by means of 
)n if necessary.]" 

fact that ISPs can work within the insecure status quo does not 
at their responses are static or complacent. The stains quo actually 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? - 103 



: companies 

multitude of companies thai buy and sell products or services over 
met operate on a wide variety of business models, each with 
t incentive structures for security. We have chosen to focus on 
Inancial services, since they have been an important target of 
■ attacks, arguably more than any other sector (Counterpane & 
;Labs. 2006). This includes briek-and-mortar banks that are offering 
their scnice portfolio online, credit card companies, as well as 
nl\ financial service providers, such as PayPal. The sector has been 
:ed with a wide range of threats ranging from bolnet-assisled 
; spam runs and phishing websites, to key loggers and Trojans that 
nan-in- the- middle attacks during secure banking sessions. 

ve: increased online transaction volume 

ey incentive for ah these companies: a growing volume of online 
ons. Credit card companies and online financial service providers 
.' charge a fee per transaction, either a Oat amount or a percentage of 
saction. The situation is somewhat different lor briek-and-mortar 
■or many of their services, they do not make any money from the 
on itself. Their incentive to pursue online banking is the 
able cost savings that it enables. Two of the interviewees in the 
I sector estimated chat online transactions were in the order of 100 
heaper than processing those transactions offline, through their 
offices, mail or phone, (riven the enormous volume of financial 
.ons. costs savings of that magnitude translate into a very powerful 
e to move online as much these services as possible. 

J does this incentive affect security decisions? To answer that 
i, we need to understand how transaction volume interacts with 
other incentives: the benefits of trust in the online services; the 
of usability; the cost of security measures; and the cost of fraud. 

ve: consumer trust 

iin the sector, it is assumed thai consumer trust in the security of 
;rvices is a necessary condition for their uptake. This rewards 
e in seoitrilv Revoni) Ihis ■Generic consensus, however, views 



OF MARKET PARTICIPANTS- WHAT PRIVLS TllLli: SECURITY DECISIONS? 



:ral consumer surveys suggest thai security problems turn people 
im e-commercc and online hanking, in particular, '["he 2006 UK {.let 
line sui'vev reported that the tear of falling victim to Internet crime 
4'/i of respondents from huernel hanking and lias put oil l7'/i from 
use all together (GetSafeOnline, 2006). It is difficult to interpret the 
: of these findings when compared to other data. For example, most 
I service providers still report significant growth rales in the 
i of their online services (Pay Pal, 2007). These two seemingly 
etory pieces of evidence point out that the role and impact of trust is 
adequately understood. An industry study of trust in e-commerce 
e et at, 2006) argued that "(wjhile an initial hypothesis may be that 
lo not engage with online services because they do not trust them, 
ings have shown that trust is not as significant a measure as firsi 

it is more important to understand is that people are willing to take 
line, as long as they are informed, and it is clear how consequences 
Addressed. People use specific services not because they trust them, 
luse they in some way provide a benefit to the individual and they 
at if something goes wrong, restitution will be made." This suggests 
mportanl factor driving the use of online financial services is not the 
; trust in the security of these services, but the more specific 
ion that a customer will be compensated in case of fraud. In other 
rom a customer's perspective, it seems more important that financial 
providers assume liability for online fraud than that they achieve a 
evel of - perceived - security. 

de-offs 

and usability vs. security 

.iming thai increased security increases consumer trust and, in turn, 
s the uptake of online services, this effect would still need to be 
I against the effects of increased security measures on the usability 
icrvicc. One of our interviewees at a bank with an international 
.' explained that the national branches of his company positioned 
ivs differently with regard to this trade-off. While in some countries, 
or authentication was readily accepted: in other countries the bank 
its customers were k'ss orxn to such sccunivciihancim: lech no Ion v. 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? - 105 



ig usability and security, these companies try to maximise the 
of online financial transact ions, while keeping, the level of fraud at 
ible levels. 

mline volume vs. losses due to fraud 

ther important incentive for security is the fraud losses that 
iny the increasing volume of online transactions. In the United 
xinks are liable for direct fraud losses under the Electronic Funds 
■ Act of 1978 - also known as "Regulation E". Under this regime, 
rs are compensated for such losses, unless the bank can prove that 
omer's claims arc false. In many other jurisdictions, the banks are 
;peaking not liable for such losses. In practice, however, the hanking 
us often adopted voluntary codes which specify that customers who 
isses are compensated - unless there are clear indications that they 
luded in the fraud. 

inderstand how the cost of fraud influences security decisions, it is 
it to look at some of the available numbers. The United Kingdom 
.ahlv ihc best data available. APACS. the UK payments associations, 
s numbers based on actual banking data, not estimates based on 
and extrapolation. As one would expect, direct losses from phishing 
the United Kingdom have risen, though with a recent fall: from 
.2 million in 2004 to GBP 33.5 million in 2006 to GBP 22.6 million 
(APACS, 2008). Over the past vears, the number of phishing attacks 
;ased significantly: from 2 369 attacks in 2006 Ql to 10 235 in 2008 
e broader fraud category of "card- not -present" fraud - which 
phone, Internet and mail order fraud - has risen from GBP 150.8 
in 2004 to GBP 290.5 million in 2007. 

to downplay the seriousness of these losses, but it is important to 
hat the damage of phishing attacks is still well below the numbers 
r fraud categories, such as stolen or lost cards (GBP 56.2 million in 
id counterfeit card fraud (GBP 144.3 million in 2007). Furthermore, 
lese numbers are going up in absolute terms, so is the number of 
rs banking online, as well as the overall volume of online 
ions. APACS argues that the rise in card-not-present fraud should be 
against the increase in the use of online or telephone transactions, 
raud has risen by 122 % from 2001 to 2006, the use of online or 
ii' shopping itself has iirowii h\ 358 '■< . Unlorlunalelv. Ihc available 



OF MARKET PARTICIPANTS- WHAT PRIVLS TllLli: SliCi/RITY DECISIONS? 



ounlcd lor 40'7t- ol" cases. PayPal recently reported their direct losses 
being ().4l'i ol overall transactions, hut could not give information 
end of their losses (House of Lords 20U7h, p. 196). 

<d implementation of security measures 

le exact figures are hard to come hy, the companies we interviewed 
their security investment levels are much higher than their direct 
Dsses, often by one or two orders of magnitude. The capacity to deal 
cidents is often already more expensive, let alone all of the 
ory measures and security defenses being put in place, such as the 
tion of two-factor or three -factor authentication. 

reason lor this level of investment is that direct losses are not seen 
tentative of the overall problem. It would be much more devastating, 
nple, if online fraud eroded customer trust or slowed down the 
if online financial services. Furthermore, there are reputation effects 
:s that are targeted by attackers as well as for the industry as a whole, 
has robust estimates on either of these effects, which makes it 
for financial companies to calibrate their security investments. 

;eneral, the incentives are to keep fraud at acceptable levels and 
sate victims, rather than to eliminate it. The latter would be 
ically inefficient, not only in terms of direct cost but more 
illy because pushing fraud back further might require the 
tion of security measures that make the use of online financial 
less attractive to customers. A reduction in the growth of the online 
on volume is likely to imply higher costs lor banks than the current 
caused by online fraud. 

ipanies, alone and through sector-wide collaboration, assess risks 
>are new security measures, which can be rolled out when they feel 
.■nt defeases arc no longer adequate. Exactly when is hard to specify, 
movations have been put in place rather quickly. Phishing attacks, 
nple, are increasingly dealt with by contracting out response efforts 
ity providers who scan for phishing spam and hunt down sites that 
; the official bank website, at which lime they initiate notice and 
n procedures. Occasionally, this lakes down legitimate web hanking 
well, when the security department is not aware of a marketing 
i from another part of the organisation and thus has not whitelisted 



5. SURVEY OF MARKET PARTICIPANTS: WHAT DRIVES THEIR SECURITY DECISIONS? - 107 



nlal changes lo Iheir two-factor authentication systems, which are 
y easy for the attackers to defeat. More structural measures, such as 
on authentication or three-factor identification, would require costly 
itions to the back-office systems, as well as requiring customers lo 
w and more laborious security methods. 

far, the response has been lo make minor revisions lo existing 
so as to disable (he last successful attack lactic. These measures are 
eompanied by a number of other safeguards - such as temporarily 
down the processing of real-time transactions. The direct financial 
f each attack have been relatively low. which makes the possibility 

ed that the relatively modest losses per incident appear lo be a 
le strategy of the attackers. These attacks are trying to stay under the 
the fraud detection systems - as well as making it less worthwhile 
enforcement officers to devote a large amount of resources to 
down the criminals. 

ry of incentives for financial service providers 

incentives of financial service provider;, arc such that in many cases 
ipanies compensate customers for the damage thev suffered from 
aud. They are willing to internalise these costs because the benefits 
/eigh them. In that sense, they internalise the externalities of sub- 
security investments and behaviours of their customers, as well as 
ware vendors whose software is exploited to execute Ihe aitacks. 
ivees told us thai when designing the security of their services, they 
assume that the end user PC is compromised. Many financial service 
s claim they compensate all malware related losses. If that claim is 
, then the security level achieved by the whole value net may not be 
from the optimum. The financial institutions bear Ihe externalities, 
' are also in a position to manage the risk through their security 
s on online financial services. 

t'_v considerations 

leie information on customer trust 

t, one could argue that there are still externalities in the sense that 



OF MARKET PARTICIPANTS- WHAT DRIVES THEIR SECURITY DECISIONS? 



er vices and, more lo Ihe point, from the in crease J adoption of these 
. In other words, this is a problem of incomplete information, rather 
nisaligned incentives. 

leie compensation of fraud losses 

icond consideration is that not all fraud -related costs to customers 
ipensaled. While the financial institutions compensate victims for 
ect losses, this might not cover all the losses that result from the 
i cases of identity theft, victims may not get all costs reimbursed and 
y struggle for years with the consequences of having their personal 
lion abused, such as blemished credit reports (TechWebNews, 



r liability to merchants/customers 

d, in several countries the banking sector is re -considering the 
liability regime, which might lead to "liability dumping". Financial 
providers have already .started to push more liability onto the 
lis. It seems we might see a similar trend for customers. Late in 
le Ombudsman for the German banking sector ruled against a 
r who claimed to have been victimised by a Trojan, arguing that the 
r provided no proof of a successful malware attack (A-i3 2006; 
, 2006|. The Ombudsman declared that the customer was not able to 
evidence of a successful malware attack, even though the 
r's machine was infected with malware. This appears to shift the 
if proof onto the customer. 

lew Zealand, the banking association introduced a new code that has 
it least pail of Ihe liability lo customers. The new code allows the 
j request access lo the customers' computer lo verify that the 
g system, the anti-virus software and firewall were all up to date. If 
:s.s is refused, or the compute]" is deemed inadequately protected. Ihe 
r's claim may be turned down. Shortly alter it was adopted, the code 
vere criticism. In response, several banks and other stakeholders 
.xl changes that offer more protection to consumers. Currently, the 
ieems to focused on the complicated question of determining just 
:t of the responsibility lies with consumers (South. 2007). 

development of what one could call 're-externalising' fraud losses 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? - 109 



reason, a security official al a financial service provider called Ihe 
; lo shift part of the liability to customers "a very dangerous path to 



Using the cost of fraud 

ically, the existing liability regime might actually be in the best 
of banks. By paying for, or internalising, the damages, whether 
. by law or voluntarily, banks have retained the freedom lo balance 
I of security against other factors, most notably the cost of security 
s and the usability of online services. This has allowed them to 
ore cost-effective trade-offs than under a different liability regime. If 
ft more liability towards their customers, they then run the risk of 
more regulatory oversight lor consumer protection. 

interviewee told us that while the US banks fiercely opposed the 
lie Funds Transfer Aet of 1978 since it placed all liability on them, 
ne many in the industry realised that the regime was actually 
ically more rational for them. He called it '"a blessing in disguise". 
>n (2007) found that during the period when the British banks 
I under a more lenient liability regime for ATM withdrawals than 
lank.v Ihev actually spent more on security, as they were doing 'due 
e,' rather than actual risk reduction. 

le financial service providers argue that the current practice of 
sating victims might provide a perverse incentive by rewarding 
rs for not securing their machine. Curlier experiences with A I'M 
ggest (he risk of .such a perverse incentive is manageable (Anderson, 
Ihould banks pass on the cost of fraud to customers and merchants - 
re potentially rising forms of damage that are currently not 
sated, such as the cost of recovering from identity theft - then this 
i the end lead to underinvestment, or even overinvestment, on the 
lie banks, since they would be investing on the basis of due diligence 
ian actual risk reduction (Anderson, 2007). In either case, the new 
es tor financial service providers would shift the level, and type, of 
urity investments away from the societal optimum. 



idors 



OF MARKET PARTICIPANTS- WHAT DRIVES THEIR SECURITY DECISIONS? 



g software lhat includes malware. The software market is highly 
liated. although there arc many I i nkap.es between segments, such as 
g systems and application software. Nonetheless, each market 
has somewhat different characteristics and hence creates different 
es for software vendors to improve security prior and after release, 
malware writers to exploit vulnerabilities. 

icent years, much has been written about the incentives for software 
. The predominant view seems to be that software markets do not 
lecurily. In the words of Anderson and Moore (2007, p. 7): "In many 
, the attitude of 'ship it Tuesday and get it right by version 3' is 
/ rational behaviour." 

t, some authors claim that security is a "market for lemons", as 
;rs cannot tell secure from less secure software. One interviewee 
that he was in fact able to assess the security of the software his 
ition bought, but that the different products were more or less the 
terms of security. So there was no real 'secure' alternative. 

ind. many segments of the software market tend to have dominant 
cause of the combination of high fixed costs and low marginal costs, 
network externalities and customer lock- in because of 
rability and compatibility issues. "So winning market races is all 
it", Anderson and Moore conclude (2007, p. 7). "In such races, 
tors must appeal to complementers, such as application developers, 
m security gets in the way; and security tends to be a lemons market 
So platform vendors start off with too little security, and such as 
ivide tends to be designed so that the compliance costs are dumped 
nd users." 

analysis provides a powerful explanation tor how we got to the 
>tate of affairs. Its implications are less clear for what happens after 
;-lo-market has been won by a software vendor. While any 
salion is problematic, recent years have seen substantially increased 
ly many vendors to improve the security of their software. The 
ment and deployment of vulnerability patches has improved. 

igly focusing on security issues. Most of our interviewees agreed on 
:y disagreed over the effectiveness of these efforts - some argued it 
little too late, others thought the market was moving in the right 



5. SURVEY OF MARKET PARTICIPANTS: WHAT DRIVES THEIR SECURITY DECISIONS? - 11 1 



ie of Microsoft 

obvious reasons, one cannot avoid mentioning Microsoft in this 

The company's problems and efforts have been most visible. By 
; story is well known, (liven the market dominance of its Windows 
g system, it has been a key targe I for malware writers. When the 

problems plaguing the platform mushroomed early this decade, 
tably in the form of global worm and virus outbreaks, Microsoft saw 
:ced to change its approach. It all hut halted development on its new 
g system and re-tasked many developers to work on much-needed 

improvements for its existing platform. Windows XP. These 
ments were released in 2004 as Windows XP Service Pack 2 (SP2). 
P2 contained many vulnerability patches, it also introduced changes 
ide base that set out to reduce the potential for vulnerabilities to be 
d. Furthermore, it turned on automatic updates and the Windows 
by default. 

a variety of reasons, security among them, Microsoft then 
led the code base for what would become Windows Vista, the 
>r to XP. at the cost of serious delays in the process. Vista's design 
ed better security principles, which inevitably led to numerous 
hiliu problems when hardware vendors and independent software 

had to adapt their drivers and programs to the new design. To a 
tut extent, the problems persisted even after the final release of 
lany would agree thai lhe.se problems have slowed Ihe adoption of 
S businesses and consumers wait for these problems to be resolved 
switching. All of this implies substantial opportunity costs for 

that the security-related costs of SP2 and Vista are anything but 

rosoft is not alone in this trend reversal, though it might be the most 
.■ example. In contrast, there arc \ endors who operate in markets that 
manded security from the start, such as the defense industry. These 
have developed along a different path compared to those in the 
nsumer market. As a result, their business models make it easier for 
a economically justify security investments in the software 
ment process. Just to be clear, the increased efforts in software 
do not mean the problem of malware is getting smaller, or even that 
Liencv with which vulnerabilities diminish is discovered. There is a 



OF MARKET PARTICIPANTS- WHAT DRIVES THEIR SECURITY DECISIONS? 



ivilhslanding Ihe difierenl business models of software vendors, a 
i if incentives explain why this Irend re\ , ersal took place. Thev puinl 
.implex interplay between incentives and disincentives for security, 
lings do not conHicl with the incentives mentioned in Ihe literal lire, 
they confirm and complement them hy focusing attention on the 
es for established software vendors, i.e. after the "race -to -market" 

i won. 

ves for software vendors 

f vulnerability patching 

doping patches for discovered vulnerabilities is costly, even if the 
f is not hard to write. As one senior software security professional 
d: "It's like the Mastercard commercial - two line code change, 20 
, finding every other related vulnerability of that type on every 
product version and all related modules, fixing it, testing it, 3 
Giving the customers a patch they can use that does not break 
priceless." 

lough it is daunting to calculate reliable and comprehensive 
the anecdotal evidence we were given suggests thai an ongoing 
of patch development, testing and release for a complex piece of 
! - like an operating system or an enterprise database system, which 
of tens of millions lines of code - is easily measured in millions of 

ii more important, some interviewees argued, are the opportunity 
tasking good software developers with vulnerability patching. One 
,vee said: "11 you reallocate the developer lime for patches to other 

might not be enough to build a completely new product, hut you 
lild some complex functionality you could charge for. I could build 
tig I could charge money for... if I did not have these defects to 

iiing also imposes costs on the customer who applies Ihe patch. This 
lude the cost of testing the patch before deploying it within the 
ilion, the actual deployment for all the relevant systems, as well as 
s of remediation when the patch turns out lo "break something" - 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? - 113 



there are indirect effects that do affect the vendor. First, patching 
ic maintenance costs of the software, which can he considered 

0 raising its price and thus lowering demand - although this effect is 
mlly mitigated in the case of lock-in effects or lack of alternatives, 
ilerprises assess the so-called "total cost of ownership" of software, 
mil just the price v 1 1 the licence. It is not uncommon for maintenance 

be much higher than the price of the licence itself. Second, if 
; is too costly for customers, they may not keep their machines 
:ly patched. The resulting security problems may tarnish the 
m of the software itself - we return to brand damage and reputation 

for enterprises vs. home users 

espouse to these effects, many software vendors have set out to 
he costs of patching for their customers. For enterprises, patching is 
;nt issue than for home users. The former need to have more control 
± deployment of patches as patches potentially disrupt critical 
. In some cases, they might opt to not apply certain patches. "While 

be wonderful if everyone stayed fully updated all of the time." said 
:rviewee, "many enterprises choose to do extensive testing first, 

to avoid blackout periods, and take into account many other 
■atious specific to their business before an update can be deployed, 
ses that regularly deploy updates will be less vulnerable to malicious 
so with all of that in mind, each business must make the risk trade- 
is appropriate for them." 

vendors we spoke to described efforts to better support their 
: customers in this regard. Microsoft, for example, introduced 
's Server Update Services (WSUS), which allows IT administrators 
:>l the deployment of patches across the computers in their network, 
nore, vendors try to improve the information they provide with 

so that businesses can make an informed risk assessment regarding 

and how to deploy a patch. 

;ral interviewees also indicated that enterprise customers asked for 
patches, which are tested and released together on a regular- 

1 (e.g. weekly, monthly or quarterly), rather than single-issue fixes 
released as soon as they are ready. "We do not do single fix patches, 



OF MARKET PARTICIPANTS- WHAT PRIVLS TllLli: SliCi/RITY DECISIONS? 



home users, reducing the costs of patching has mainly consisted of" 
ing easier, mure use r-IViei idly mechanisms (o deliver and install 

Microsoft developed "Automatic Updates" and turned it on by 
in XP SP2. The vendor reported that over 350 million Windows 
:s worldwide receive the monthly "Malicious Software Removal 
trough Automatic Updates or Windows Updates (Microsoft, 2007). 
iivironment ol" open source software. birelox - an Internet browser 

second -large si market share, alter Microsoft's Internet Explorer - 
bled automatic updates by default since version 1.5. Rather than 
I patches, the developers of birefox release the patches as soon as 
ready. The default setting of the browser is to download and install 
the earliest opportunity. The developers recently reported that under 
v model, 90 % of Firefox users installed a recent security patch 
ix days (Snyder, 2007). 

ling always required? 

costs of patching could also work as a disincentive for those 
: vendors seeking to avoid these costs. As a result, vulnerabilities 
un-patched for too long, assuming they get patched at all, or the 
if the patches might be too low. The urgency of this issue increases 
:ers, as has been reported, are moving way from exploiting the 
g system and toward third-party applications and hardware drivers 

2006). 

.■■ever, not providing vulnerability patches does not seem to be a 
strategy fin" an established vendor whose product is actively being 

by malware writers. On the other hand, even substantial efforts in 
•velopment can leave a software product vulnerable - e.g. because 

are more complicated to develop and test for products that are 
nlegraled into a larger software package. An analysis of the known 
lilities for Internet Explorer found that for a total 2M days in 2006, 
is exploitable code available lor known, un-palched critical flaws in 
Explorer 6 and earlier versions (Krebs, 2007). 

. vendor's market position requires it to perform costly patch 
me nt, then these costs might provide incentive for more investment 
ilv earlv during the development process. This would be done in the 
reducing the number of vulnerabilities after release — or perhaps 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? - 115 



<g vs. secure stiff m/n' development 

le vulnerability palckuiji is genu rally seen as desirable, allhoug.li not 
one (Rescorla, 2004), many have argued thai it does not really solve 
erlying problem, binding and patching \ ulnerabi lilies might nol 
e software product itself more secure. Some research suggests thai 
y products, the discovery rate of hugs is more or less constant over 
i other words, rinding and fixing a vulnerability does nol reduce the 
of an attacker finding a new vulnerability to exploit (Rescorla, 
■urthermore. patch development consumes resources that could have 
:d to make software more secure before it is released. 

; is a valid criticism. However, several interviewees made the case 
lly patching procedures still provide an incentive for more up-front 
jnts in secure software development. One argued that the more 
I incentive for secure soil ware development is the fact that back-end 
; costs are much higher than the costs of preventing the vulnerability 
levelopmerit. Another interviewee told us: "The argument to make 
ng better code is cost avoidance, even if" you charge for support (and 
The way you get a good margin on it is if you can charge for 
ance but you do not have to constantly produce patches because 
; expensive; that cuts into your margin." 

did not come across economic analyses thai directly compare the 
secure development with those of patching. It is unclear whether 
even have this kind of data available. One interviewee told us: "I 
add up what we've spent on the fronl-end... Most of secure 
tnenl is good development, nol some special security add-on." 

:ems clem", however, that the costs of secure software developmenl 
tantial. It requires more resources and can affect time -to- market of a 
duct - a critical factor in many software markets, though here too 
;ct may be tempered by customer lock-in. Furthermore, secure 
ment often involves costly assurance processes. One interviewee 
d the so-called "Common Criteria" evaluations for major releases of 
iducls. These evaluations are made by external consultants and were 
d to cost between USD 500 000-1 million each - not including the 
isuming involvement of internal staff. 

ti in the absence of hard numbers, the interviewees were adamant 
iv are significant cost s;mn»s to he made by investing in secure 



OF MARKET PARTICIPANTS- WHAT DRIVES THEIR SECURITY DECISIONS? 



ns in opportunity costs thai potentially are even higher. In the words 
interviewee: "I worry about the opportunity cost of taking good 
;rs and putting them on tasks for security patches for avoidable, 
Lble defects. That's why we put a lot of work up-front to avoid that. 
: training, we have automated tools - anything you can do earlier in 
? is goodness. It's never been hard to justify those costs." 

brand damage and reputation effects 

additional explanation for the increased security efforts of software 

are Ihe reputation effects thai they suffer for poor security - or 
good security. The strength of these effects are notoriously 

to estimate. Some have suggested that they provide a fairly weak 
e (Schneier, 2007). Whether that is true or not, it does seem io play a 
e major security-related changes within Microsoft were driven by 
ir worm and virus outbreaks in 2002 and 2003. The key difference 

those security incidents and ones that preceded them was scale and 
Icing damage. Neither affected Microsoft directly. The reputation 
[ Chose incidents seems to be Che most plausible explanation for Che 

in Che company's course. 

nenCioned earlier, Microsoft has invested in mechanisms Co make il 
3r its customers lo patch their machines, even though they do not 
le customer's patching costs directly. Furthermore, so far Microsoft 
.ved pirated versions of Windows lo download security patches. This 
to value Ihe reputation of the platform more than denying services to 
[outers. Keeping their customers patched as much as possible helps 
e the scale of security problems Chat the platform is associated wich. 

incentive of reputation effects might be stronger in open source 
lities, where reputation is a very valuable resource {e.g. Watson, 
t might help to understand why early in the development of what 
>ecome the Firefox browser - shortly after the code of Netscape 
nieator had been open-sourced in l ot J8 - the developers made a 
of security-conscious choices. The security performance of the 
played a key role in the positive evaluations of software reviewers. 



-e vendor trade-offs and disincentives 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? - 117 



ini' functionality 

"1 of the reason for Ihe mess is that people want fancy gadgets and do 
; as much about security, and that's exactly what they got," one 
: security professional told us. The 'gadgets' referred lo in this 
it are the functionalities provided by software products. Even 

with an established market position will at some point want 
rs lo buy a newer version of their product or a complementary 

Another interviewee said: "No-one buys your product only because 
ire, they buy it because it allows them to do new things." The drive 
market to produce ever more powerful software has generated 
is innovations. At the same time, it has made it much harder to build 
oftware. 

Jtionality versus security is not necessarily a zero-sum trade-off. 
nctionalily can be security related, for example, or it might be 
;nted securely. In practice, however, they can be difficult to 
e. The history of software development is rife with examples where 
fs in the design of software have favoured functionality over 
. Many of the much-maligned features of Microsoft's Internet 
r, such as its deep integration into the Windows platform, started out 
ionalily - e.g. the ability of a website lo silently install code on a 
,'slciii. which would increase the functionality of the -.vstcm withoul 
g the user to understand and manage the process of installing 
There have been many beneficial uses of this functionality, but it 
turned out to be a huge security risk. In response. IE7, the latesl 
of Internet Explorer, has reversed many of these design decisions. 

re is an intrinsic tension belween adding functionalilv and making 
: more secure. Security benefits from simplicity and a limited 
of code (e.g. Barnum and Gegick, 2005; Bernstein, 2007). Many of 
major software products are neither. The need to expand 
alily with each release only exacerbates the situation. Of course, 
oltware development practices set out to mitigate this problem, by 
• the "attack surface" of a certain functionality and manage the 
lg risks or. if the functionality is inherently insecure, lo exclude it 
: product. 



OF MARKET PARTICIPANTS - \VI [AT DRI VLS "I"] IEIR SI-CLARITY DECISIONS? 



Box S.l Microsoft's Vista: 
An attempt to balance compatibility and security 

a the development of Vista. Microsoft decided to change the default ' 
Hints were set up. This required Microsoft developers in create a vi; 

user mode with restricted privileges. They introduced User Account 
UAC) for this purpose. Their enterprise customers, many of whom wanted 
;ir desktops under standard user accounts, applauded litis development, a 

to reduce their total cost of ownership. The problem was that it crea 
compatibility issues with the existing third -party software, much of wh 
unicd ,ulminis:ralor privileges. While venders were informed about the 
■> changes, many did nol actually adapt iheir code lo work with thes 
One interviewee explained thai ii was not attractive for vendors to comply 
new restrictions, because they had to invest in changing their code just tc 
ime functionality dial Ihej already had before Vista. 

Vista was released, a substantial number of these compatibility issues wert 
;d, even though Microsoft itself developed auto-mitigation measures to ilea 
ny application compatibility problems that the vendors did not resolvf 
es. Users experienced poor or missing device drivers and ineompatiblt 
programs. Many complained about the constant security prompts atic 
that UAC confronted them with. Because many programs did not run 
in standard user mode, they constantly had to ;isk for elevated privileges, 
ggered the UAC prompts. This was exacerbated by the fact that UAC was 
:mented very elegantly and thus generated more prompts than needed. As 
vie wee explained, the move to UAC '"is considered a paradigm shift that 
late into worse user experience if the user is runnina software that has lo 
very day." 

soft anticipated these problems to a certain extent. They felt that the 
ility problems of end users were worth the price of moving the software 
toward building products that could operate under a standard user model, 
itit a way to force the third-party vendors to adapt their software, this would 
igerous game to play," said one interviewee, as Microsoft iiself will rect 
e blame for Ihcse problems. UAC is one example, 
security improvements in Vista suffer from the same incentive problem: 
y work if the independent soliware vendors adapt their code. If using the 
feature is not turned on by default, the vendors might simply ignore 
sans that the feature does not actually improve security for end users. If 
■ turned on by default or if it eannol be turned off, then users will experie 
.-ompatibility issues. These compatibility issues likely translate inf 
d adoption of Vista, especially by enterprise customers, as they wait 
iblems to be sorted out before they move to the new platform. For 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? - 119 



could argue that as the security -related costs of users go up, the 
.vill reward security -related functionality that can reduce those costs. 
v several well-known counter-arguments to this - including lock-in 

lack of alternatives, weak market signals for security and the 
tion asymmetry between vendor and customer. That said, there 

to be a market demand for certain security improvements, most 

those that reduce the total cost of ownership. Some software 
both proprietary and open source, are actively marketed as being 
scure and less costly to maintain than their alternatives or 
isors. Whether the market over time can distinguish between empty 
ind security improvements that actually achieve cost-savings is not 



ig compatibility 

discussed above, software products benefit from positive network 
ities. The value of a software platform - such as an operating system 
.ses non-ii nearly with the number of users. There arc two sides to 
: more users there are, the more vendors will want to develop 
: for that platform; and the more software there is for the platform, 
e users will want to adopt it. Anderson and Moore ( 2007, p. 5) 
:d that all of this implies that platform vendors will impose few 
restrictions so as to appeal to third parly software vendors - i.e. to 
i compatibility and inler-operabilily of software. How these 
es play out of for a specific vendor depends on the type of product 
vide and the position they have in the market. 

a dominant platform, maintaining compatibilily is key when moving 
c version to the next. As one industry insider told us: "The only 
vlicrosoft] cared about in the transition from Windows 95 or 
's 98 to Windows XP was application compatibility, otherwise 
vould never move to XP." This had all kinds of effects on security 
problem of malware. 

achieve maximum compatibility, the default installation of XP set 
ser up with administrator privileges, which means that people 
t operated their machine under a user account that allowed 
:ted control over the machine. From a security standpoint, this is 
ible, because it means that once a machine is successfully attacked 
isc. malware has lull access to the machine and can. lor example. 



OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? 



Ihc "attack surface" - i.e., the amount of code, interlaces, services, 
ocols available to an attacker. 

;sponse to the default user setup of XP. third-party vendors assumed 
isers would run with administrator privileges and they designed their 
is accordingly. In turn, because so much software assumed the user 
administrator privileges, running the system as a regular user with 
privileges was not really viable. "The end user was pretty much 
d run as administrator", said one interviewee. While they might not 
ich of a choice, end users were accustomed to having full control 
ir machine, unbothered by security restrictions. 

:e organisations did sometimes set up the desktops of their 
:es with restricted regular user accounts. This is a costly set up, 
', because it requires a lot of support staff to manage these 
ions. Even minor changes needed adminislrator privileges and thus a 
stall" action. Of course, if you sel up your users as administrators, the 
costs are also high, because of the increased security risks. The only 
ireak out of this self-reinforcing cosily path is for everyone to adapt 
laviour. 

'gfor user discretion 

issue that runs throughout the challenge of software security is user 
in - that is, key decisions about how to configure and operate the 
: product are left to the user. The user - or in enterprise contexts, the 
nistrator - decides whether or not to install vulnerability patches, the 
rides whether to operate within User Account Control or to turn it 
user decides how to configure a firewall, and so on. 

r discretion allows software products to be adapted to a wide variety 
xts and user preferences. That means the product can reach a wider 
ind can create more benefits tor its users, making it more valuable. 

more importantly, user discretion touches on property rights. 
i runs on machines that are not owned by the vendor. In principle, 
owners who should be able to decide how to balance Hade -oils 

functionality, performance, availability and. yes. security - as well 
ther value relevant to them. After all, the owners are the first to bear 

for what their system does - whether this aflecls Lhemselves when 
■.■plnvmcnt breaks critical business applications, for example, or 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? - 121 



i user discretion comes user responsibility. This is a blessing and a 
ii" soil ware vendors. The blessing is obvious: many of Ihe current 
problems fall within the realm of user behaviour rather than within 
m of software production. This shields vendors from part of the 
bility in resolve Ihese problems. Of course, it is also a curse. The 
s that users make affect the security performance of a product, 
l turn affect Ihe reputation of Ihe product and its vendor. There is 
if evidence demonstrating that in many cases, users lack the 
tion or expertise needed to make rational security trade-offs or that 
cisions do not account for the costs they impose on others - 
g, but not limited to, reputation damage to Ihe software vendor. 

re are limits to user discretion. There are hard limits, where software 
loes not enable or allow you to take certain actions, and softer limits, 

iirection. For example, when Microsoft introduced UAC, it turned 
jre on by default, but it did include the possibility to turn it off by 
g the system settings. Preliminary feedback indicates that, so far, 
;e quarters of users keep UAC turned on. 

;re and how to set such limits is a difficult balancing act for vendors, 
es many trade-offs between user discretion and protecting the 
' and reputation of the product. As one interviewee explained: 

at debate raged on for four years straight, from the team level to the 
T level and we rehashed that debate fifty times in those four years. 
>w - what should the defaults be and how much pain can we put the 
to get through to the independent software vendors? Are we being 
essive with this plan or are we not aggressive enoiuih? It was a huge 
ing decision that really took a lot of guts at the VP level to support 
we knew we were going to generate some customer dissatisfaction, 
alternative is to say: 1 hope anli-nial ware engines can keep up with 



try of incentives for so ftware vendors 

ware vendors work under a mixed set of incentives, which may vary 
:rent market segments. They do experience increasing costs as a 
f growing security problems, most notably the direct and indirect 
patch development and reputation effects. Thai explains whv many 



OF MARKET PARTICIPANTS- WHAT DRIVES THEIR SECURITY DECISIONS? 



net effect ol the mixed set of incentives is dependent on the product 
market segment in which llie vendor operates. Assuming all oilier 
ire equal, the increased efforts mitigate soft ware- -related security 
s. However, al the same lime as security efforts are being increased. 
: is becoming more sophisticated, adapting to the new defenses, 
standing the efforts of software vendors, many of our interviewees 
1 that the situation would get worse still, before it would get better. 

dors do not bear the full costs ol" software insecurit; . there are 
ities. Schneier (2007) has repeatedly argued that all the money that 
;rs of software products arc spending on additional security products 
■ices should be counted as externalities generated by those software. 
;. That might not be fully correct and it may overestimate the size of 
I cm. 

i certain extent, security problems are connected to users" decisions 
haviours - as is inevitable, given user discretion over the 
■at ion and use of software, as well as social engineering attacks 
lo not need software vulnerabilities to compromise a system. If 
.ly decides to buy a cheap or highly functional software product with 
security problems plus separate security software, it is that 
:r's choice and this should not be treated as an externality. In theory, 
unctioning market would offer software with different degrees of 
m and let consumers choose. I low-ever, that assumes that everybody 
information and that there are no externalities on the consumer side, 
know, in many software markets consumers experience lock-in 
>r a lack of alternatives. So there are externalities generated by the 
decisions, but they arc probably lower than the total cost of 



strars 

Domain Names System (DNS) is part of the Internet infrastructure, 
uch it is affected hy malware in a variety of ways. There have been 
Hiblicised botnet-assisted denial of service IDDoS) attacks on root 
and TLD name server operators, aided hy sophisticated tactics that 
the existing DNS infrastructure to amplify the attacks. 

ddition to the threats to the DNS infrastructure posed by malware, 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? - 123 



I '. I'-. : -.1 II. . II l- .l. lll ■ tl . . ill 

1 volunteers working al ISPs. CSlRTs ami other organisations. 

procedures lo lake down phisliiiig sites are changing constantly, as 
s adapt their strategy in response. Typically. ISPs and registrars are 
1 in taking down a phishing site. The first lakes down the hosting 

while the latter removes, suspends or redirects the domain names 
Hie atlaekers. Redirecting a domain name means sending the traffic 
her location, typically to allow law enforcement or security 
;ls to examine it more closely. 

lension is sometimes preferred over removal, as the latter would 
le atlaeker to register the name again elsewhere. The response of 
d registrars to the notification of phishing siles varies. Some act 
others do not. At the latter extreme, we find bullet-proof hosting, 
usiness model is based on non-response and keeping malicious sites 
is long as possible. Research suggests that legitimate ISPs and 
s, once they are under pressure lo act, go through a learning process 
-■lop procedures to deal more swiftly with abuse (Clayton, 2007). At 
it, the criminal activity starts to migrate to other, easier targets. 

transaction costs of domain name registration itself are very low- 
need by the practice of "domain tasting", where millions of domain 
ire registered, the overwhelming majority of which are cancelled 
lie so-called "grace period" expires. For the registrar, this process is 
le because it enables a business model to find profitable domain 
lirough trial and error, which drives up the number of registrations 

make it past the grace period and thus generate revenue. Some 
,vees suggested that there is a relation between domain tasting and 
but within the context of this study we have been unable to find 
to clarify and corroborate that relation. 

ves of domain registrars 

incentives of ISPs were discussed earlier. What about the registrars'.' 
gnificant extent, ISPs and registrars are overlapping categories. 

name registration is an extremely low margin business, which is 
my registrars tie them to complementary conventional ISP-type 
, such as web hosting and hosted e-mail services. Some registrars 
er domain names at a sli'jhl loss, in order lo entice people to register 



OF MARKET PARTICIPANTS- WHAT DRIVES THEIR SECURITY DECISIONS? 



overlap between registrars and ISPs means they share si mi hu- 
es. It also means dial the size of Iheir operations is such that stalling 
: desk and other security-related positions is seen as a normal cost of 
.isiness. The different parts of the business often share a centralised 
;sk. Furthermore, they need such capabilities for other reasons than 
urity, most notably to deal with complaints regarding copyright 
ment - our interviewees reported that the latter made up a large 

course, there are also smaller registrars, with or without 
tentary services, who lack staff to deal with abuse - again, similar to 
[ilion with ISPs. Some of these smaller registrars leave it to the 
provider to deal with all content -related complaints. Because of the 
between registrars and ISPs, we refer back to the seclion on ISPs to 
use of the incentives that both have in common. We only briefly 
ise them here, complementing them with more specific findings for 
s. 

f customer support and abase management 

with any business in a competitive market, registrars have an 
e to reduce operating costs. This includes customer support and 
tan age me nt. The number of complaints was reported to have risen 
ially in recent years, though pari of this growth coincided with 
of the customer base. At the same time, the response process has 
partially automated and thereby more efficient. To illustrate: one 
\ee reported getting I 200-1 500 incoming complaints per day for a 
r base of several million. Only a minor part of the overall incoming 

le the company in question offered complimentary services, most of 
lining complaints were about domain names that were registered 
them, but hosted elsewhere. They were contacted because their 
" service did not allow the domain to he used lor any kind of abuse - 
y have a reputation for enforcing these terms. On the whole, the 
wee estimated that they suspend around 20 domain names per day 
se-related reasons. Only a few per week were specifically for 
One explanation offered for this relatively modest number was 
end users who were inleck'd hv malware. il is often difficult to lie 



5. SURVEY OF MARKET PARTICIPANTS: WHAT DRIVES THEIR SECURITY DECISIONS? - 125 



alion therefore provides an incentive lhat, ail things being equal, 
gainst sccLiril v- This is reinforced by the need to investigate the 
ion, to understand whether the domain name i.-. indeed associated 
ilicious activity. Given the dynamic and increasingly sophisticated 
s of phishing gangs, this can be more difficult than it may seem at 
nee. Even for the experienced staff at larger registrars, invest baling 
:alion and request to suspend a domain name for mal ware -related 
an take several hours. Phishing sites are less difficult to investigate 
typically he dealt wilh within an hour. 

incentives for criminals are to register with registrars who are slow 
ind to abuse. The longer the domain name stays active, the more 
ill their attack can be. This means that not all registrars are equally 
. Those lhat are swift to suspend, remove or redirect a domain name 
.■■ incenlivisc criminals to look for easier targets. ( liven the enormous 
.if registrars, both for generic and country-code top-level domains. 

ences lor their lack of responsiveness, similarlv to the consequences 
's suffer. In that sense, the costs of customer support and abuse 
nent work as an incentive to improve security. 

interviewees explained thai it was their experience lhat if (hey dealt 
ely with abuse, then criminals would avoid them or move elseu lie re. 
iduced the amount of complaints coming in, as well as associated 
eh as blacklisting. The amount of abuse had gone down relative to 
, th in their customer base. 

f blacklisting 

registrars offering hosting and e-mail services are subject to the 
blacklisting along the same lines as the ISPs. Blacklist operators 
leh registrars and their responsiveness to abuse complaints. In 
cases, blacklists may be directed at the registrar itself. A case in 
the recent row between the blacklist operator Spamhaus and the 
] registry/registrar Nic.al. Spamhaus had requested Nic.at to remove 
domain names it said were associated with phishing by the "rock 
gang. Nic.at did not comply with these requests, citing leg.al 
nts. They argued that they could not legally remove the sites, unless 
us provided them with clear proof that the domain names had been 
:d using false inlormation i.Sokolov, 2007). 



OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? 



) a symbolic listing - no longer actually blacking the IF addresses, 
ling them listed as "spam support.'" Several of the offending domains 
en removed, but Nic.at denies that they complied with the request 
imes that the hasting providers laok action (t)Rl'. 20(17: Spamhaus. 



f brand damage and reputation effects 

re also appear to be reputation effects, which provide security- 
ig incentives. As mentioned earlier, there are several cases of 
s who were popular among phisliers ami who at first did not respond 
,-sts to suspend domains. Then (lic\ apparently went through a 
process and started to remove domain names quickly in response to 
(Clayton. 20(17). It is unclear what precisely prompted this learning 
but their behaviour suggests lhal (lie regislrar docs not want to be 
ad with the malicious activity. 

ther case is the ccTLD of Tokelau, an island with I 300 inhabitants 
rritory of New Zealand. The registrar for the .tk domain is a Dutch- 
in company, which hands out most domain names Tor free, making 
from showing advertisements on the registered domains. After 

announced that over 10% of the .tk domains were suspected of 
is activity, the registrar introduced new measures, which included 

scanning of the domains for malware (Dot-TK. 2007). 

r of maintaining reciprocity 

registrars, maintaining reciprocity is as important as it is for ISPs, 
d numerous examples of registrars with hosting and e-mail services 
ng inslances of blacklisting through informal contacts willi blacklist 
s as Spamhaus as well as major e-mail and network providers. One 
.vce mentioned thai one direct benefit of being responsive lo abuse 
nts is lhal it typically keeps sites with security problems off 
:s - or at lcasl ensures a proportionate response from blacklists, such 
1 (he specific machine associated with the abuse, rather than listing a 
uigc or subnet in which the offending machine resides. A security 
1 an ISP claimed lhal his organisation sponsored Spamhaus. which 
:ly gave them a free pass in terms of being blacklisted. 

interesting new example of reciprocity stems from the size of the 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? - 127 



i registrar disincentives 

isks and constraints 

vith the ISPs, a number of legal ambiguities surfaced which in some 
wis] tiled into disincentives for security. Some interviewees argued 
I to be careful with monitoring the hosted sites on their network. One 
vee said: 

legal liabilities kick in as soon as you have knowledge or should 
owledge that something look place on your network. If you are 
ely monitoring all the content of your hosting customers but for 
r reason something is missed, while (here is an expectation that you 
lave caught it, then you could potentially be held liable for that 
So the monitoring thai we do is somewhat limited in scope and only 

n I here are potential liabilities around suspending or removing 
names, as it involves a contractual relation between registrar and 
it. Even if the terms of service of the registrar preclude the domain 

the registrar to investigate and build a case showing that those terms 
:n breached. That can be costly. 

;mals often use a short cut: rather than asking the registrar to 
:lv investigate and decide on an abuse complaint. Ihcv point out that 
•tranls WHIMS information is false. As one interviewee explained: 
>sc registrars that are not willing to assume the risk of the liabilities. 
(MS accuracy policy is a comfortable refuge." Referring back to the 
spamhaus vs. Nic.at, the request of Spamhaus was indeed to suspend 
lung domains on the grounds that their WHOIS information was 
he response of Nic.at was that they were contractually bound and 

0 remove the domain names unless Spamhaus could provide legally 
;ful evidence that the WHOIS informal ion was indeed false. 

re is also the risk of collateral damage from removing domain 

1 could be that the domain name is indeed used for phishing. but that 
activity associated with it is criminal or that the actual owner is 

■I '.I..H i ■ ■ I. Tlie Im< Ni.iI rl, r i--.-i-.ti .■■ u M in ;:■ ■— 1 t.i.Mi 

leanest of others would in all likelihood not shield it Irom. liability. 



OF MARKET PARTICIPANTS- WHAT DRIVES THEIR SECURITY DECISIONS? 



;cord for the security website SecLists.org al the request of 
e.com, after the security site published a list of 56 000 My Space 
es and passwords that had been circulating on the Internet (Utter, 

n if the domain is actually owned by criminals, that docs not mean 
strar is shielded from repercussions. In the past, there have been 
spammers successfully suing their ISPs for shutting Ihein clown, just 
have sued blacklist operators such as Spamhaus - a case which was 
won bv the spammer, although thai did not aflecl Spamhaus directly 
it is located outside the courts' jurisdiction. In short, the risk of 
drives up the costs of compliance with abuse notifications, 
ly in combination with more complicated and difficult to diagnose 
rategies, which work against security. 

everyone agreed thai these liabilities form a significant risk. "In a 
ises the risk of incurring liability vis-a-vis a spammer or malware 
s very minimal," said one interviewee. "I believe most registrars 
on that premise. Certainly, I have heard the excuse of liability used 
■ registrars and I feel that it should not be used to absolve yourself 
ur responsibility' to vour customers and your community... The real 
ie cost of defending yourself against court eases. Even in the most 
s cases there is some exposure and you need to lake those exposures 
junt into your business model." 

t and customer acquisition 

rviewees expressed mixed views about the relationship between 
costs and acquiring and retaining, customers. The dominant view 
i to be that proaetively fighting abuse actually helped to acquire and 
istomers, as it helps build their brand as trustworthy and secure. In 
, active abuse management helped the registrars to mitigate risks of 
.ing, also for customers that were nol directly involved in the abuse 
ion-responsive registrars and hosting providers might experience 
:vere forms of blacklisting which are correlated with substantial 
il damage within their customer base. 

oilier side of lhal story is that proactive abuse management often 
swift action, which might he perceived as hasty or unjustified by the 
is involved in the abuse issue. The latter miHil see themselves as 



5. SURVEY OF MARKET PARTICIPANTS: WHAT DRIVES THEIR SECURITY DECISIONS? - 129 



try of incentives for domain registrars 



icurity officer at an international bank told us he was not woiried 
he fast-flux networks for phi shim;, because in his experience 
s were quite responsive in addressing the attacks at the level of the 
name. That still implies, however, that in the absence of outside 
, the incentives for security are not strong. In light of the large 
of registrars currently in operation, this suggests a long learning 
even if we assume that registrars that have improved security will 
lack into complacency. 

,vas discussed earlier, the abuse complaints that ISPs receive cover 
fraction of the actual amount of abuse on their network. The 
,vees confirmed that this is similar for the domain names or hosting 
that fall under their purview. '"For every abuse situation we are 
about, (here are probably several more going on (hat we do not get 
about," said one interviewee. In practice, this means that while 
gistrars may have incentives to improve security, their efforts do not 
ic full extent of the security problems associated wilh their services 
r customers. In other words, there are externalities arising from these 
for other market players in the value net. 



users are arguably the most heterogeneous set of market actors, 
from average home users to SMEs to public institutions to global 
ions. Rather than trying to differentiate all of these actors, we 
liscuss two extreme categories - home users and large organisations, 
iiid private - and discuss in general terms the incentive structures 
hich they operate. 



OF MARKET PARTICIPANTS- WHAT DRIVES THEIR SECURITY DECISIONS? 



s themselves. Thai incentive structure has changed dramatically. By 
, its presence to the end user, malware can turn end user machines 
ack platforms to be used against many other players in the 
lion network. 

lack of home-user action against the infection of their machines is a 

[[complete information - not knowing that they are infected or 
inable to evaluate the relevant security risks and defense strategies; 

mortage of incentives; home-users do not have to bear the costs of 
heir decisions on other market participants. 

unplete information is important, because it further weakens the 
misaligned incentive structure. While it is true an infected machine 
mobilised for use against other actors than the machine's owner, it is 
i also true that a significant portion of malware poses a direct threat 
vner - for example, keyloggers that capture access codes to financial 
'ransomware' that renders user files inaccessible until a ransom is 
he criminal, or Trojans that enable man-in-the-middle attacks during 
online banking sessions. 

rinciple. these risks could provide a strong incentive for home users 
e their machines. But their lack of understanding of such risks or 
le [end against them renders the incentive to act on them rather weak, 
lexislent. The interviewees at ISPs told us that when they contact 
hose machines have been compromised, the response is generally 
isitive. Their customers had no idea what was going on. Once it is 
:d, they are often co-operative. 

he abstract, however, the information about risks is not getting 
A security officer at a smaller ISP explained it this way: "At any 
>i lit in time, we have 600-800 customers who have a malware, abuse 
ity problem with their machine. You do not see those numbers in the 
ecause a journalist does not think this is a problem; 600 out of 400 
tomers. This is also why end users do not think it is a problem, 
the chances of being hit seem so low." 

cost of increasing security provides a further disincentive. The 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? - 131 



sre was slill a large group of people iiol installing the software 

milar phenomenon was related to us by the head of Internet security 
;e ISP: they too offered an AV solution as part of the subscription, 
e people who did install it often did not keep it up to date. He 
it on poorly designed software. Thai sentiment was shared by a 
itative of a consumer organisation; "We see that the products 
:rs get for establishing some degree of security for Iheir PC do not 
□perly. and they are too complicated to manage. Consumers cannot 
their own security given the tools they are provided with." When 
helher in their view consumers would be willing to pay lor belter 
, the interviewee responded: 

general terms, they do and they do not. They just expect it to be the 
^citing. Most products are secure. When you buy a car. it's got seat 
r bags, brakes. Those things are included in the product. Consumers 
charging extra for that is a bit ridiculous." 

ne with these views, a survey by a consumer organisation found that 
ority of their members felt that Internet security was a shared 
bility: the consumers themselves are responsible for their online 
jr, but the technical aspects of security are the responsibility of 
most notably their PC retailers, ISPs, software vendors and the 
tent (Consumentenbond, 2006). 

difficult to disentangle incentives from incomplete information, but 
nbined effect is to undermine the willingness, as well as the ability 
Iften this situation is described with a sense of inevitability, as if the 
>er is a static entity with no learning curve. Surveys suggest that 

ic users are adapting their behaviour, but it is unclear how (hose 
add up. how to connect (he disparate, if not contradictory, pieces of 
don from the plethora of surveys out there. Even if we ignore the 
.ncies between the numbers, it is hard to characterise the current 
i. Surveys tell us a large number of people are worried about identity 
ivacy, security, online predators, fraud and other problems. In fact, a 
int portion of people are turning away from the Internet altogether 
iOnline, 2006). At the same time, adoption of security measures 
firewalls and AV software is increasing, slowly but surely (Pox, 



OF MARKET PARTICIPANTS- WHAT DRIVES THEIR SECURITY DECISIONS? 



■e structure for home users 

key question regarding the incentive structure is: how, if at all, are 
;ers confronted with ilie costs generated hy their security trade -oris'.' 
ie, technically, they are confronted with them all the time. The bulk 
;pam messages that everyone receives is sent through hotnets, to 
it one consequence. But the causality between individual behaviour 
ft aggregate effects is loo abstract and complicated to have a 
t effect. 

Iback typically stems from actual security problems that people 
ice — the victims of fraud, identity theft or. less dramatic, degraded 
alily of their machines. According to a 2007 survey by Consumer 
, 1 in 5 people experience a major virus problem, 1 in 1 1 experience 
spy ware problem and I in 81 actually lost money from an account 
ncrs Union. 2007). Assuming these numbers are correct, that would 
ome where between 20-10% of all home users have directly 
iced the consequences of their security decisions. Potentially, this 
: a powerful feedback loop, but the unanswered questions are: 

, do people understand these incidents'? Do they relate them back to 
n decisions? Do they have adequate tools and capabilities to act on 
dei-standing, assuming such tools exist for end users? (The existing 
software suites are increasingly ineffective in delecting ma] ware.) 

most direct mechanism (which is currently internalising some of the 
ities generated by end users) is the ISP practice of isolating infected 
itil they resolve the security problem. It would appear that this 

works for relatively modest numbers of infected machines, but, as 
ir experts say, it does not scale to the actual number of infections. 

not just ISPs that bear the externalities generated by home users, 
iline businesses are confronted with hotnets and related security 
and they have to provision their services accordingly - whether they 
commerce company buying DDoS mitigations services from its ISP, 
iline bank that has to design its services under the - all too valid - 
ion that the customer's machine is compromised. Few of these 
parties are in a position to mitigate these risks by influencing the 

trade-offs of home users. Thus, defending against these security 
s perceived as the cost of doing business. 



5. SURVEY OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? - 133 



to understand Ihc security risks they face, take precautionary 
s. as well as build incident response capabilities. Notwithstanding 
.1 Yankees, research often reports that both public and private 
iiions u ride iv s limine the risks they lace or under-invest with regard 
ily. Some of our interviewees reported compromised machines in 
tworks, which they perceived as more or less inevitable. They 
.1 that Iheir networks were by necessity rather open to accommodate 
ors. or the flexible use of services throughout the organisation. One 
vee said his network was like a fortress that kept intruders out, but 
:neone had gained a foothold inside, there were many opportunities 

le interviewees reported instances of malware on their network, they 
this malware to he generic and not targeting their organisation 
ally. It is unclear how valid this claim is. The way they found out 
iese compromised machines - e.g. through notification by security 
providers which were not under contract with them, or during the 
s of support desk staff repairing malfunctioning machines - suggests 
ir risk perception of malware is not based on any formal type of 
of their own services and networks. 

re are many known cases of companies who have suffered 
s.King security breaches — and there are undoubtedly many more 
n ones. That being said, it is rather difficult to determine the 
ate level of investment in light of these threats. While more formal 
instruments have been developed in recent years to support these 
s, their application requires the input of values and probabilities that 
1 hard to estimate with any degree of reliability. According to the 
SI Computer Crime and Security Survey, less than half of all 
ttions use instruments such as ROSI, 1RR and NPV (CSI, 2007). 
:e providers have very little actuarial data to base policies on. 

le the security practices of large end users undoubtedly leave much 
ir improvement, it is also important to realise this: many of the 
lial businesses underestimate risks and under-invest in security stem 
search sponsored or carried out by security providers, whose 
e is to overestimate the problem. 

trast these claims with the findings from the CSI Survey, which 



OF MARKET PARTICIPANTS- WHAT DRIVES THEIR SECURITY DECISIONS? 



versed as damages per reporting organisation doubled lo USD 345 
' di Ificult lu assess whether this re pleats a one-lime deviation or a 
d reversal of the downward trend. Most likely, it reflects the 
>gy race he I ween Ihc provision of cyhersecurily and ever-more 
:ated and virulent criminal attack techniques. It is also important to 
t direct losses are no measure of the complete financial impact felt 

ty- 

(the irade-offs 

anisations face all kinds of trade-offs regarding their in fori nation 
decisions, including malware. Take the issue of patching. We heard 
s that patching mission-critical software systems can cost millions, 
reason, some companies did not patch immediately after release of a 
lility patch, but waited for months and Ihen applied several patches 
leously. 

re were even examples of organisations that consciously never 
. estimating the risk of disruption to be higher than that of security 
In the financial sector, securily measures ollen face a trade -oft 
:i\ ai lability of the svslems and their performance. In a world where 
ily to process information in milliseconds affects the bottom line, 
s that improve securily bul slow down transactions are not an 
choice. A similar trade- off exists between security and availability - 
he uninterrupted uptime of systems. All of these Irade-offs involve 
assessments of costs and benefits, often in Ihe face of uncertainly 
;ing information. 

re the externalities? 

ii ifit is true thai large organisations might not fully understand Ihe 
J benefits of information securily, Ihe more relevant issue is whelhcr 
Lit ion causes markel externalities. In the absence of externalities, it is 
their purview lo pursue whatever security strategy they deem 
ate and bear Ihc consequences of lliose decisions. In most generic 
ic answer is Yes. there tire serious externalities. 

mples of externalities are hospital records that are compromised. 
I records of millions of citizens thai Lire "lost." and a job website that 
i compromised, allowing the personal information of over a million 



5. SURVEY OF MARKET PARTICIPANTS: WHAT DRIVES THEIR SECURITY DECISIONS? - 135 



vill be imp] killed in a wider variety ol security breaches than those 
already observed. 

iamage and other incentives 

it are the incentives for these organisations to prevent these 
ities? There is brand damage. Organisations that have been breached 
tvong incentive not to disclose this information. However, many US 
ave adopted legislation that requires organisations to publicly 
security breaches. The legislation includes no penalties, but still 
; strong incentives because of the prospects of public 
assment and loss of share value. 

ipbell el at. (2003) reported that, on average, breaches of 
itialilv hail a significant negative impact, causing an average decline 
et value of about 5 %. A study by Cavusoglu et at. (2004) also 

that announcing an Internet security breach is negatively associated 
: market value of the announcing firm. The breached firms in the 
ost an average of 2.1 % of their stock market value within 2 days of 
uinceineiit — an average loss in market capitalisation of USD 1.6? 
ler breach. While these effects are significant, some experts argue 
;e are temporary and that, over time, the notifications will have less 

impact, as the number of notifications increases and they lose their 
lue. 

1 breach notification legislation enables other parties to hold the 
ble organisation liable for any damages they have suffered. This 
done by individuals affected, but perhaps more realistically by other 
ies that have more resources to pursue such a course of action. In the 
the security breach at Choicepoint, this led to USD 10 million in 
nallies lor security breaches and USD 5 million in redress to 
rs (FTC, 2006). 

e recently we have seen what will undoubtedly be a landmark case, 
rity breach at the US retailer T.J. Maxx in December 2006. Many 
re suing the retailer for damages lollowing this breach. Among them 
banks that had to reimburse their customers for fraudulent 
iins stemming from credit card information that was stolen at T.J. 
iecently. the retailer has reported that the breach has already cost it 
15 million — and the case is far from over. A security company 



OF MARKET PARTICIPANTS; WHAT DRIVES THEIR SECURITY DECISIONS? 



Sarbanes-Oxley. (he Health Insurance Portability and Accountability 
the Gramm Leach Bliley Act. While there is disagreement over the 
mess of these laws, issues of liability and compliance have shown to 
rs tor increased security efforts {e.g. Ernst & Young, 2007; Lords, 
152). 

;r countries have different regulatory regimes in place. However, 
e parallels. Data protection laws could potentially have similar 
So far. however, these effects, if they are indeed occurring, are 
.' less visible. Predictably, the debate is .shilling towards the issue of 
to connect sanctions to these liabilities. The UK Information 
isioncr recently called for criminal sanctions "for those who 
>ly and recklessly flout data protection principles" (Shifrin, 2007). 

try of end-user incentives 

users have been the focus of considerable debate regarding Internet 
. As has been reported before, many externalities emanate Irom end 
ecurily decisions - or non-decisions. Interestingly, both lor home 
d large users, there exist incentives that are potentially very strong - 
he risk of significant damage to themselves resulting directly from 

problem is, however, that their risk perceptions are often not 
nt with the technological realities in which they operate. To the 
hat end users do appreciate the risks they face, there are significant 
s when they attempt to act on that information. For home users, 
tools are often too complex and partially effective at best. For large 
nd private organisations, the situation is remarkably similar. While 
en have more expertise available, the security challenges are also 
ially more complex in light of the complicated array of systems, 

and the organisational arrangements around them. 

a result, end users generate externalities, the costs of which are 
ies passed back to them. But in many cases, the costs are passed on, 
vitalised by, other market players, which consider them part of the 
loing business in the information industry, or the costs are absorbed 
ty at large. 



S.AI. LIST OF INTERVIEWEES - 137 



Annex 5.A1. List of Interviewees 



007, 41 in-depth interviews were conducted with 57 professionals 
jianisalions participating in networked computer environments that 
routed with malware. Below is a full list of those responding, 
sach instance, the following questions were asked: how the 
iiion was confronted with malware; what its responses were; what 
fs were associated with these responses; and how the organisation 
cted by the actions of other market participants. 

details on the research design and its scope and limitations, please 
ex B. Research Design for Economies of Malware. 





Oracle [US] 




Telstra BigPond [AUS] 




PayPal [US] 




Confederation of British Industry [UK] 




Mozilla Foundation [US] 




St. Elisabeth Hospital [NL] 




Go Daddy [USJ 




St. Elisabeth hospital [NL] 


, Mary Ann 


Oracle [US] 




Consumentenbond (Consumers Union) [NL] 


.Erie 


France Telecom / Orange [FFtj 




ABN AMRO [NL] 


lohn 


StreamShield [UK] 


Wim 


FI-ISAC/Rabobank[NL] 




KPN [NL] 




XS4AII [NL] 




Microsoft [US] 




Comcast [US] 




Telstra BigPond [AUS] 




ServePath [US] 




GOVCERT [NL] 




Oracle [US] 


Scott 


XS4AII [NL] 



Symantec [UK] 

Fellow to Ihe ICANN SSAC [US] 
Google [US] 

Federal Trade Commission [US] 
Tucows [CA] 

BSI (Federal Office for Information Security) [DE] 
TrendMicro [JP] 

Qjeen Mary University of London [UK] 
GOVCERT [NL] 
KPN [NL] 

Federal Trade Commission [US] 

NVB (Dutch Association of Banks) [NL] 

BSI (Federal Office for Information Security) [DE] 

ACDNet [US] 

SuifnetCERT [NL] 

Federal Trade Commission [US] 

Shell International [NL] 

BT [UK] 

ABNAMRO [NL] 
KPN-CERT [NL] 
France Telecom / Orange [FFi] 
Shell International [NL] 
Symantec [UK] 

Support Intelligence / Alice's registry [US] 
APACS [UK] 

Michigan State University [US] 

Microsoft [US] 

Packet Clearing House [US] 



I t'l 



;r 6. The Market Consequences of Cybersecurity: 
ining Externalities and Ways to Address Them 



preccdi ng chapter reported on (lie efforts and incentives of a variety 
net market participants. It indicated a number of market-based 
e mechanisms that contribute to enhanced security but also other 
s in which decentralised actions may lead to sub-optimal outcomes, 
sing question is: Are participants in the information and 
lication markets responding adequately to 1 vial ware, or are 
menls possible? Pointing to a variety of reports that show increases 
dous attack trends, one might conclude that markets are not 
ing adequately. Our analysis revealed a more nuanced picture. 

• categories of externalities 

I -world markets rarely meet the preconditions of standard economic 
For example, decision makers rarely have complete information, 
crate under conditions of bounded rationality, and they behave 
listically. For these reasons, individual decisions rarely are as ideal 
ibed by abstract models. Rather, real-world decisions are a process 
Idling through" second and third-best solutions, especially in an 
vient of rapid technological change. Whether a decision was good or 
ften revealed only after-the-fact. 

issing the direct and indirect economic cost of ivialware in real- 

ie provision of security entails cost, tolerating a certain level of 
ty is economically rational. Therefore, the level of security realised 
on the costs and benefits of security to individual actors, and on 
I collective measures to enhance security. Two kev questions are: 



iklt consequences oi-cybhrsecturity 



>sts arc externalised (passed on) lo other market players or society al 
i, how serious are they in relation to the internalised (absorbed) 

le keeping in mind the scope and limitations of our study, we can 
number of tentative conclusions with regard to these questions, 
.he information market's value net, three relevant situations emerge 
market participants: 

ry 1: No externalities; market participants absorb all the 
"their security decisions. 

decision-making unit, be it an individual user or an organisation, 
,■■ assesses security risks, bears all the costs of protecting against 

threats (including those associated with these risks) and adopts 
Lite countenueasiires. The private and societal costs and benefits of 
decisions are aligned. There may still be significant damage caused 
vare. but this damage is home hv the market player itself. This 
l would be economically efficient, but due to the high degree of 
endency in the Internet, it is rare. 

t does not mean these situations are non-existent. In principle, end 
be they large organisations or skilled home users - who lake 
: security measures and successfully prevent their machines from 
impromised generate no externalities for the rest of the market- 
some experts might argue that under certain conditions such 
ur creates positive externalities that are not taken into account and 
d to an sub-optimal level of private investment i Kunreulher and 
103). 

:ral interviewees in our field survey claimed that in recent years, 
.ve not had any malware infection within their organisation's 
. We were not in a position to check the \ aliditv of these claims, but 
I unreasonable to assume thai there are cases where malware is 
nllv loiH'.hi off, or where the effects of malware infections are, by 
e, limited to the owner of Ihe infected system. 

ry 2: Externalities are created, but they are borne by agents 
i manage them. 



...... HI 



on others into account. But they can also result from a lack of skills 
with security risks, or financial constraints faced hy an individual or 
ition. 

ong as soi tic body else in the market internalises these costs, and this 
in a position to influence these costs - i.e. it can influence the 
trade-offs of the agents generating the externality - then the security 
hieved by the whole value net may deviate less from a social 
i than without such internalisation. This scenario depicts a relatively 
case and numerous examples were found that confirm externalities 
ing internalised by other market players. 

' example 

; have stalled to manage the security problems generated by their 
rs — e.g. h\ quarantining the infected machines of end users. As 
ey absorb some of the costs generated by the sub-optimally low 
:nt in security by their own customers. ISPs internalise these costs, 
not doing would lead to even higher costs being imposed on them, 
may experience blacklisting, rising customer support and abuse 
nent costs and possible reputation effects. 

key point here is that ISPs are internalising these costs, but that they 
in a position to influence the behaviour of the agents generating the 
ity - i.e. their own customers. For example, if they increasingly 
iku'klisiing because of spam from infected end-user machines 

their network, one of the options tbci ha 1 , e is lo block pt irt 25. Thai 
significantly reduce the degree of blacklisting and the costs 
^d with it. Of course, such a measure also has costs and implies a 
1" with other objectives, such as the kind of services the ISP can offer 
>mers. They may opt against blocking port 25 for a variety of 

That does not mean, however, that the externality is not a given, but 
/ can actually influence its magnitude. This is different from, say, an 
erce company who has to buy DDoS (mitigation services from its 
ause of botiiel attacks. That company cannot do anything about 
and thus the costs to defend itself against them is simply considered 

doing business. 

: only internalise a part - some experts would say a minor part - of 
rnalilics caused by their customers. For example, while ISPs are 



tKLTCONSHQUENCilS (H-CYBHRSECTURITY 



e of online financial services 

■ther instance of this type of externality was found in the case of 

cases they compensate customers lor the damage they suffer from 
-aud. In that sense, they internalise the consequences of sub-optimal 

investments by their customers, as well as the software vendors 
oliware is exploited to execute the attacks. Many financial service 
s claim they compensate all mal ware -related losses. If that claim is 
, then the security level achieved by the whole value net may not be 
From the optimum. The financial institutions bear the externalities, 

are also in a position to manage the risk through security measures 
lose on online financial services. 

.'ever, there are three important considerations to take into account: 

unclear what the reality is of customer compensation under the 
ent liability regime. Some researchers suggest that many claims are 

■ I ■■ I - 1 ■■ ■ Hi) fir itr.l 

' the direct loss (Schneier, 2005; Anderson, 2007). 

re is debate within the industry to change the banking codes so as to 
i,n more liability to the customer. New Zealand lias already adopted 
vised code to this effect. That would change the incentives which 
lit push the level and focus of seem in invesl menls of the financial 
anions away from the social optimum (Anderson, 2007). 
n if customer damage is compensated, one could argue that there are 
c.\iei"naliLics in the sense thai important social efficiencies could be 
ed if people had higher trust in these services and could adopt them 
e quickly. These benefits would outweigh the additional security 
stments that would be needed. While the magnitude of these 
nullities is unknown, the financial service providers are the ones 
■ stand to gain most from maintaining high trust in the e-channel. In 
r words, this is a problem of incomplete information, rather than of 

ry 3: Externalities are borne fully by other market 
<ants or by society at large. 



I J • 



ike in Category 2. no oilier agents in Ihe information and 
licalion value net absorb the cost. Or, if they do, Ihev are not in a 
to influence these costs - i.e. influence the security trade-offs of the 
enemling the externality. Hence, cosls are generated for the whole 
nd society ai large. These are the costs of illegal activity or crime 
;d with trial ware, the costs of restitution of crime victims, the cost of 
>rcement associated with these activities, and so forth. 

hermore. the externalities may lake on the more indirect form of 
■rowth of o -commerce and other activities. Slower growth mav entail 
cant opportunity cost for society at large, if the delayed activities 
liave contributed to economic efficiency gains and accelerated 
A comprehensive assessment of these additional costs will demand 
rted effort btil will be necessary to determine the optimal level of 
i I'iiihl ma! ware. 

-e of lax security by end users 

most poignant cases in this category are the externalities caused by 
security practices of end users. Some of these externalities are 
sed by other market players, but many tire borne by Ihe sector as a 
nd society at large. These externalities are Ivpically explained by the 
of incentives for end users to secure their machines. 

ould be more precise, however, to argue that the end users do not 

■ any incentives to secure their machines. While malware writers 

■ I - ■!! li- ■■ '-- n . Hi. I' i.. I ■ -i Mi.. ,ul, ..I.-, I Ik i i.i.l 

t their attacks at other targets, there is also a plethora of malware 
Iocs in fact attack the infected host - most notably to scour any 

information that can be used lor financial gain. In that sense, end 
!) have a strong incentive to secure their machines. Unsecured 
:s cannot differentiate between malware that does, or does not. affect 
er of the machine. If the machine is not sufficiently secured, then 

to assume that all forms of malware can be present. The fact that 
;ntive is not perceived by the end user is an issue of incomplete 
:ion rather than a lack of incentives. 



al and efficiency effects 



[SET CONSEQUENCES OF CY B ERSECTURITY 



:n externalities arc borne by agents who can manage them ((."ale gory 
liiv usual] v ilislnhulhnuil in nature. Thai is. there is a mere shilling 
ists (and benefits) between the actors involved. In the case of ISPs, 
-s shift to ISPs most of the cost of secure online connections, but the 
in a position to manage those costs via various actions. 

:ontrast, overall efficiency externalities materialise if the cost of 
ig a given level of information security can be reduced for all the 
nits in llic sector. This differentiation is also important in the 
jn of alternative strategies lor coping with problems of malware. 
easures, such as a modification of liability rules, may predominantly 

burden of combating malware from one set of actors to another. In 
ises, it will be critical that the resulting attribution of costs and 

is belter aligned with the Irue cost structure of Ihe value net. Only in 
■ will efficiency be improved. 

to the high degree of interrelatedness, nearly all the three 
lie categories of externalities discussed in Ihe previous section are 

with both types of effects. In general terms, however, we would 
hal Category 2 externalities have mainly distributional effects, while 
y 3 will have distributional, as well as efficiency effects. From a 
perspective, the latter is obviously a more damaging form of market 
In the case of Category 2, efficiency effects are not a given - i.e. 
se> need noi itnpK a •.Libopiimal level ol '.-.ecLiriu for Ihe value uel as 
. Banks, for example, internalise the security-related externalities 
:d by end users and others. This does not need to have efficiency 
because the banks can mitigate the risks of end users and thus can 
f the damage against the costs of mitigation. In fact, it may have a 

effect on efficiency, if the banks can manage the risks better than 

important to keep in mind that many mal ware-related externalities 

lalilies in environ menial pollution does not hold. In the example of 
i, there is a market player that benefits from the production process 
thai pollution. In that case, the guiding principle of standard 
ie theory is to internalise the costs of pollution so that the agent 
he level of production to be more in line with the social optimum. 



I J ' 



id not by individual .stakeholders. This is currently happening, tor 
:, in the area of law enforcement, but it is not clear whether it is at an 
level. 

Its on the costs of malware 

lough the nial ware-re I aled costs of security measures are considered 
ary, estimates provided by players range from 6-10% of the 
;nt in ICT. No clear estimates of the effects of malware on operating 
s were available, although we did find that most organisations did 
ice such effects. There was evidence throughout the empirical 

of concern thai such effects are important, although no specific 
in as to their magnitude is available. The concern with this broader 

externality seems to motivate several players, especially in 
:s sensitive to reputation issues, to increase investment in security 
id a "safety margin" when deciding on levels of security. 1 

information collected in this research project from actors across the 
tion and communication value net allows the conclusion that the 
rivate and public costs of prevention are substantial. With few 
ins, many actors have had to increase their security- related 
;nts as a response to the higher benefits of security associated with 
•s of transactions conducted via the Internet and the increasing 
of attacks. 

✓ever, each actor typically only acts based on the perceived 
es. In literally all cases, there were important costs and benefits that 
at other stages of the value net and were hence outside the decision- 

et co-ordination, the magnitude of these externalities is probably 
than hitherto assumed, tin the other hand many of these externalities 
incorrected leaving the system overall in a sub-optimal state. 

collective costs of fighting malware, ranging from the costs of 
ling public-private organisations such as CliRTs or CSIRTs, to the 

public education campaigns and law enforcement, add to these 
:osls. Finally, all actors pointed to the potentially hi«h indirect costs 
are in Ihc form of slower migration to uflicieno -enhancing forms of 
ic transactions. Taken together, the direct and indirect costs of 



;K]rrt;t)NSi-(ju[;N(;::s oi-cybhrsecturity 



lough the research in (his report was not designed to develop specific 
.^commendations, some genera] concluding remarks are nonetheless 
' With regard to the interrelationships within the information and 
i ical ions -related activities, it seems that the incentives of many of 
imercial stakeholders are reasonably aligned with minimizing the 
if externalities on the sector as a whole. 

incentives typically have the correct directionality. But in a variety 
they are too weak to prevent significant externalities. It is import ant 
however, that all market players we studied experience at least some 
ences of their security trade-offs on others. In other words, there 
edhack loop that brought some of the costs imposed on others back 
;ent that caused them. 

found many such feedback loops, which mitigate the externalities 
from less -than -optimal security decisions. All market players we 
experience such feedback, which potentially brings their security 
fs closer in line with that of society in general. We also noted. 
', that in many cases these feedback loops are too weak or too 
1 to effectively change the security trade-offs that caused the 
ities to emerge in the first place. 

;rms of policy development, a key strategy would be to strengthen 
ing feedback loops and create new ones where possible. That would 
p public policy out of the realm of having to decide how secure is 
nough when it comes to defending against malware. 

:n the complexity of the interrelationships, there are no panaceas 
ild address all the issues in one sweep. From our analysis, we 
that measures that increase the costs of malware perpetrators will, 
r things being equal, help reduce the overall cost of security. But 
irkcl participants may then be induced to reduce their investments in 
. the damages associated with security breaches may not decline. 

ilarly, measures that increase the level of security may increase 
related costs without actually lowering the damages related to 
breaches. In a highly interrelated system, it is often difficult to 
:he overall impact of a policy measure due to feedback and 
paled effects. It is [herelore necessarv to search lor measures that are 



I J " 



Notes 



>r a literature review of the available esiimates of llie costs of malware 
d neLwork security in general, see: Bauer. J. M., M. J. G. Van Eeten and 
Chattopadhyay (l ; orthaimiiig). Financial Aspens of Network Security: 
alware and Spam. ITU (International Telecommunication Union), 
wvi. iiu. ini/lTU-D/cyb/. 

•r those readers interested in policy recommendations, note the recent 
idv: Anderson, R,. cl al. (2(K)Wi. "Security Economics and the Internal 
arkel", European Network and Information Security Agency, 
ww.enisa.eumpa.eit/ihc/p(tf/report_sec_et ■<»i_&_int_mark_200H 

■31.pdf. 



III. WHAT CAN BE DONE? - 149 



Part III. Malware: What Can Be Done? 



oitlil agree that the damage caused by mahvare is significant and 
i be reduced, even though its economic and social impacts may be 
quantify. That said. Part Hi of this hook focuses on the factors that 
>e considered in assessing what action to take, and by whom, against 
>.. These include: the rotes and responsibilities of the various market 
ants', and the incentives under which thev operate (Chapter 7); the 
s already being undertaken by communities more specifically 
1 in fighting mahvare (Chapter 8); and finally an assessment of what 
■uld be taken to create a holistic and comprehensive approach to 
; (Chapter 9). 



arding to the 2002 OECD Guidelines for the Security of Information 



I ; I 



7. The Role of End Users, Business and Government 



ware affects individuals, business and government in different ways, 
sc participants can play a role in preventing, delecting, and 
ing to malware wilh varying levels of competence, resource, roles 
lonsibilities, as called for in the OECD Guidelines for the Security of 
linn Systems and Networks: Towards a Culture of Security (the 
Security Guidelines"). Better understanding the roles and 
bilities of the various participants in relation to malware is 
it to assessing how to enhance Ihe light againsl malware. 

iants 

jng the various participants, those concerned by malware are: 

End users (home users, small and medium-sized enterprises 
(SMF.s), public and private sector organisations) whose data and 
information systems are potential targets and which have different 
levels of competence to protect them. 

Software vendors, which have a role in developing trustworthy, 
reliable, sate and secure software. 

Anti-virus vendors, which have a role in providing security 
solutions to users (such as updating anti-virus software with the 
latest information on malware). 

Internet Service Providers (ISPs), which have a role in managing Ihe 
networks to which the aforementioned groups connect for access to 
the Internet. 

Domain name registrars and regulators, which determine if a 



E OF END USERS. BUSINESS AND GOVERNMENT 



example, in delecting, responding lo and recovering from security 
incidents and issuing security hill lei ins about the latest computer 
network threats or vulnerabilities associated with malware attacks; 
or in co-ordinating nationally and inlcrnatiunalh the resolution of 
computer network attacks affecting its constituency or emanating 
from its constituency. 

Law enforcement entities, which have a mandate to investigate and 

Government agencies, which have a role to manage risks to the 
security of government information systems and the critical 
information infrastructure. 

Governments and inlcr-govcrnmenlal organisations, which have a 
role in developing national and international policies and legal 
instruments to enhance prevention, detection and response to 
malware proliferation and it.s related crimes. 



nd disincentives - Highlights from Part II 

er comprehension of how market players are, or are not, incenlivised 
important to understand how they are responding to malware and 
' assess how to enhance the fight against malware. Incentives are 
ny the costs and benefits associated with the possible responses of 
irket player. In some cases, there may be strong incentives for a 
player to develop policy and technical approaches to more 

or even non-existent. Actors make their own trade-offs regarding 
id of security measures they deem appropriate and rational, given 
iiness model. 

y limited information as to how individual actors actually make llieir 
:ion security decisions is available in the public domain, which 
: difficult to calibrate any form of public policy. Economic decisions 
laid to information security depend on the particular incentives 
:d by each market player (Eeten and Bauer, 2008). 



I ; • 



Box 7.1 Different types of incentives 

ntives are often classified as being either m on clary (financial, 

ncial incentives typically connect decrees of achievement of an objective 
onetary payments. They include factors such as: lying the salary of an 
cc to corporate performance; the ability to make a super-normal profit by 
g a risky innovation; or the bottom line effects of potential damage to a 
eputation, 

of action, or the set of possible actions ih.it should he avoided in a 
ar situation. 



>e incentives art; rooted in economic, legal, and other mechanisms, 
g the specific economic conditions of the market, the 
endence with other players, formal legal rules as well as informal 
Ideally, the relevant incentives should assure thai private costs and 
of security decisions match the social costs ami benefits. Any policy 
to combat malware, therefore, needs to take into account the 
incentive mechanisms and examine whether they could potentially 
tied to produce more efficient outcomes at the societal level. 

HusUale, an online financial service provider might decide that it is 
ist-etTective to compensate the damage of customers victimised by 
:, rather than to introduce new security technology reducing this 
Not only may those technologies be more costly than the actual 
amage, they could raise the barriers for customers adopting these 
. The incentives under which these service providers operate may 
economically rational to keep the damage of malware at manageable 
ather than to push it back further. 

he societal level, the key policy question is whether the decisions of 
ike into account the costs and benefits that result from their response 
are. There are instances where the incentives of actors do not reflect 
> their decisions impose on others - i.e. these costs are externalised. 



E OF END USERS. BUSINESS AND GOVERNMENT 



itities related to malware 

l-world niiirkets rarely meet the preconditions lhal arc assumed to 
wording to standard economic theory. For example, decision makers 
ivv complete information: they operate under conditions uf hounded 
ty and behave opportunistically. For these reasons, real-world 
al decisions are often a process of '"muddling through" second and 
it solutions, especially in an environment of rapid technological 
Moreover, many malware -related externalities and costs have their 
i the illegal or criminal behaviour of illegitimate players imposing 
legitimate market participants. 

as sing the direct and indirect economic costs of malware and 
g coun term e as ure s is an important issue. As the provision of 
entails cost, tolerating a certain level of insecurity is economically 
The resulting level of security is dependent on the costs and 
of security. Relevant questions that need to be addressed include: 

Are market players taking the full range of costs into account when 
making security decisions? 

Whal cosls are externalised to other market participants or society al 
large? 

lings regarding incentives and externalities for the different market 
mts confronted with malware reveal three situations: no 
ities; externalities that are borne by agents that can manage them; 
■rnalities that are borne by agents who cannot manage them or by 
;tt large (Eetcn and Bauer, 20081. For a detailed discussion of these 
:egories, see Part II of this report. 



ve structures for market participants 

research project presented in Part II of this report , conducted to 
ndcrstand current incentive structures and possible externalities, 
tat the overall response to malware emerges from the interaction of 
<et participants and the degree of compatibility (or incompatibility) 
respective incentive structures. 

ems that the incentives of many of the commercial stakeholders are 



I ; ' 



ack to the agent that caused them - even if in some cases the force 
:edback loop has so far been too weak or too localised to bring their 
jr in line with the societal optimum. 

some participants, an important mechanism to achieve this 
■nale result is Hie interdependence between them. In other instances 
.nation effects that align incentives with the socially optimal choice, 
eets may operate independently or jointly, as in the case of ISPs, 
instance, a user with insufficient malware protection may cause an 
ity whose cosl is, in part, borne by the service provider, in part by 
Ps, and in part by society at large (e.g. costs of law enforcement, 
-educed trust in e -commerce). An ISP may incur costs to enable its 

to isolate single users that might spread malware due to insufficient 
in of that user's machine. Part of this externality is thus internalised 
SP because of the incentives of the provider to protect the integrity 
rvices and to avoid blacklisting and the negative effects this might 
r its operating costs, its reputation and consequently its revenues and 
nrospects. 

[>n society at large 

ing other findings, the research in Part II also shows that whereas 
temal effects are internalised at the level of the whole information 
V ecosystem, there Lire some effects that need to be considered as 
ities to society at large. 

example, malware and its effects may tarnish the reputation of 
:s that rely heavily on electronic transactions, such as banking or 
:e. If electronic platforms are used less frequently than would 
ie be the case, then the forgone efficiency improvements can be 
ed an externality cost to society of malware. Moreover, malware 
ninish trust in the working and security of e-commerce overall, 
f this results in slower diffusion and growth, one could consider the 
■ni potential efficiency gains as a cost to society. Such potential 
uld occur at the sector level but they could also manifest themselves 
■ overall economic growth rates. There is evidence 111 rough out I ho 
f concern that such effects are important, although no specific 
m as to their magnitude is available. 



E OF END USERS. BUSINESS AND GOVERNMENT 



ii ily problems and the related economic costs to society may have 
:s: 

y are the outcome of relentless attacks on the information and 
munication infrastructure by criminals; and 

in an overall external threat level, they may he aggravated hy 
repancies between private and social costs, and benefits which are 
outcome of decentralised decision-making in a highly interrelated 
lystem. 

irs in both the criminal world and within the information and 
licalions system respond to the economic incentives they face. For 
ket players assessed in the empirical study presented in Part II, a 
icentive structure exists which includes positive incentives as well 
:entives to take action against malware. 



Note 



ie research in Part II of this report is based on in-depth interviews in 
■ r e countries with representatives of market participants including 
terncl Service Providers (ISPs), c-ctnnmcrce companies with a focus on 
line financial services, software vendors, hardware vendors, registrars 
d end users - complemented by interviews with regulators, CSIRTs, 
'ANN. .security services providers and researchers. 



8. WHAT IS ALREADY BEING DONE? - 157 



Chapter 8. What Is Already Being Done? 



'V communities more specifically involved in II ghlinti malwitrc is 
)ortant to assessing how to enhance prevention of, and response to, 



' key efforts 

■aanlial eflovls hy various participants have been made within OF.CD 
s and APEC economies and at the international level to raise 
ss. measure malware, develop or amend legal frameworks, 
en law enforcement, and improve response. For example: 

Many websites and resources exist to help end users and SMEs 
secure their information systems. 

Many entities track, measure and sometimes even publish data on 
their experience with malware and related threats. 1 Furthermore, 
scheinas" exist to provide single, common identifiers In new virus 
threats and to (he most prevalent virus threats in the wild lo reduce 
public confusion during malware incidents. 

Several informal networks have been created that are a key element 
of the response community's abilitv to respond to incidents resulting 
from malware. CERT/CC has catalogued 38 national CSIRT teams, 
19 of which are in OECD countries, and 16 of which are in APEC 
economies (CLKT Coordination Center. 2006). In addition, they 
hold annual meetings lor national CSIRT teams la gather and share 
information about numerous issues, including malware. 

Numerous countries across the world have legal provisions against 



Al.RlIADY lti;iMi doni: 



online and 43 countries across the globe are now party to (he 
Convention. 

Law enforcement agencies and organisation, 1 ; across the world have 
made important efforts to find malicious actors and bring them to 
justice for the crimes they commit. The law enforcement communitv 
lias created points of contact networks and other similar schema to 
help cross-border co-operation in recognition that the majority of 
these crimes cross legal and jurisdictional boundaries. Law 
enforcement agencies and business typically use tools which 
implement the Whois protocol to query database servers operated by 
the domain name registrars and Regional Internet Registries for data 
on domain name owners. Internet Protocol address and Autonomous 
System Number allocations lhal can identify ihe asserted physical 
locations where unlawful activity is taking place, and the relevant 
service providers (ISPs), which, in turn, can provide information 
regarding their customers. 

ISPs are operating in highly competitive markets and are taking 
proactive steps in the fight against malware, such as quarantining 
infected machines. 

Software vendors have increased efforts to improve the security of 
their software. The deployment of vulnerability patches has 
improved. Arguably more important, many software vendors put 
software development processes in place that are increasingly aware 
of and focusing on security issues. 

Governments across OECD countries and APEC economies are 
taking policy, legislative and technical measures to address 
malware'. In particular, they are working, in co-operation wiih the 
private sector, to protect their government critical information 
infrastructure from electronic attack. 

se communities have made significant efforts to address the issue of 
: and anecdotal evidence suggests a much greater awareness of the 
than only a few years ago. I he nature of malicious and criminal 
activity, however, is such that these communities are always 
g up" with the malicious activities. This report has shown that 
ing all malware is neither feasible nor economical!' rational hut 



8. WHAT IS ALREADY BEING DONE? - 159 



, structures and initiatives that address malware 

; following suction provides examples (rather than a comprehensive 
existing instruments, structures and initiatives, at the national and 
onal levels, who.se purpose is to help address (lie issue of malware. 

less raising 

ireness is an important line of defense against malware and the 
esulling from its use. Both the public and private sectors, separate! y 
[irinership, have taken initiatives to educate Internet users about 



ia - E-Securhy National Agenda (ESN A ) 

Australian Government established the ESNA in 2001 to create a 
nd (rusted electronic operating environment for both (he public and 
sectors. A review of the ENSA in 2006 found that the online 
no nt is highly interconnected and (hat e-security threats to different 
s of the Australian economy can no longer be addressed in isolation, 
jontext. the Australian Government announced A US$7.1. h million 
ir years for new measures to strengthen the electronic operating 
nent for business, home users and government agencies. 4 In 
, the Australian government is undertaking the following initiatives: 

An annual National E-Security Awareness Week will be held in 
collaboration with industry and community organisations. The week 
encourages Australian home users and SMLs to undertake smart 
behaviour online. A pilot Awareness Week was held in October 
2006. 

The enhancement of the Government's e-security website 
www.staysmurtonline.gov.au is the key mechanism to disseminate 
simple c -security information and advice to home users and small 
businesses on how they can secure their computers and adopt smart 
online practices. 

The development of an e-security education module for Australian 
schools to focus on raising e-security awareness of young 
Australians. 



ALREADY lti;iMi DOM;.' 



A Li sir Lilian Government has also developed a number ot" booklets lo 
ge Australian consumers and small businesses to protect themselves 
: -security threats. 5 

ia Netalerf 

riched in August 2007 by the Australian government, Netalert is an 
safety initiative that combines an Internet safety informal ion 
,n, a National Filter Scheme to provide free access lo an Internet 
filter to help block unwanted content, and a website and hotline to 
advice aboul protecting children online, as well as access to the free 
nd information about how they work. 

ia Stay Smart Online website 

Stay Smart Online website provides simple step by step advice to 
;ers and small and medium sized-enlerprises (SMLs) on how they 
ect themselves on line. 

?r Internet Plus Programme 

iie EU level, the Safer Internet plus programme promotes safer use 
iternel and new online technologies, particularly lor children, as part 
erenl approach by the European Union. 



Gel Sale Online (GSO| is the UK Government website that aims to 
awareness raiMn;.' insinuation aboul sale online practices for home 
E Internet users. The website complements the ITsafe website and 
on awareness raising activities with links lo popular websites. The 
in material provides information on e-mail, malwarc. plashing and 
. The website was initiated by a joint agreement hetween the UK 
nent and the private sector, namely sponsors from technology, retail 

Safe Online Week (GSOW) was launched in October 2006 and 
I various awareness raising activities. Activities of the Week 
I an Internet safety summit with an objective to initiate liaison 



8. WHAT IS ALREADY BEING DONE? - 161 



service is funded by Ihe UK Government Home Office and uses 
:ion provided by die Centre for the Protection of National 
icture (CPNI). This Government department provides electronic 

for the UK Government. The aim of the ITsafe website is to advise 
est methods necessary to protect personal and business data. ITsafe 
ged by a Government team on behalf of the CPNI by the Central 

for Information Assurance (CS1A). 

■aland Net safe 9 

;afe is a partnership between The Internet Safety Group (ISG), an 
dent non-profit organisation responsible for cybersafety education in 
e aland, and the New Zealand Ministry of Education with 
itation and sponsorship from industry, police, banking and others, 
us of NetSafe is to provide children with information about sexual 
;r similar instances of abuse online. The site also has information 
laiware, computer maintenance, peer 2 peer file sharing. IRC 
risks, hackers and other e-security information is provided. 

NelNafc website covers topics including online safely for children 
nagers, online security for businesses, Internet fraud and law 
nent, online gambling, copyright, e-commerce and the law. NetSafe 
its a cartoon website, Hector s World, designed to entertain and 
children about online safety. 

Kingdom ITsafe 10 

■ ITsafe initiative is a UK website that provides simple and easy to 
ind e-security alerts and threats to both home and small business 
users. Advice and information contained within the website is free 
tides varying types of e-security threat alerts and warnings enabling 
lectronic environment for Internet users. 

States Onguard Online 11 

iuardOnline.gov is a website maintained by the US Federal Trade 
;sion and partners such as the US Postal Inspection Service, Ihe US 
lent of Homeland Security, the US Department of Commerce, and 
mill's and F.xchanu,- Commission In nrovide nvaclicnl lins from Ihe 



Al.RlIADY lti;iMi DONi: 



ed Stales SlaySafeOnline 12 

SalcOnlinc is a website provided lor the publie by the National 
ieeurity Alliance, a US industry eoalilion supported by the US 
tent of Homeland Security to provide cyber security awareness to 
le user, small businesses, higher education, and K-12 students. It 
i free and non-technical cyber security and safety resources 
g alerts, tips, and reports to the public so consumers, small 
;es and educators have the knowhow to avoid cyber crime. 

States - National Awareness Month 

United States Government in collaboration with industry holds an 
National Cyber Security Awareness Month (NCSAM). The month 
raise awareness about online security and how to adopt safe online 
v The activities and events held in the month focus on home Internet 
VIEs, government, education and the corporate sector. 

gels 11 

langels is a US based group of 13-18 year-old volunteers who have 
x'ially trained by the local law enforcement, and many other leading 
^perts in all aspects of online safety, privacy, and security including 
. After completion of the required training, the Teenangels run 
irograiTLs in schools to spread the word about responsible and safe 
:o other teens and younger chi Idren. parents, and teachers. 

it ions 

I of Europe Convention on Cybercrime 

Convention of the Council of Kurope ICOK) on Cvbercrinie is the 
1 only legally binding multilateral treaty addressing the problems 
<y the spread of criminal activity on line. Signed in Budapest, 
/ in 2001, the Convention entered into force on 1 July 2004. 
sing digitalisation, convergence and continuing globalisation of 
■i" networks, the Convention requires its signatories to establish laws 
■riminalise security breaches resulting from hacking, illegal data 
tion, and system interferences that compromise network integrity 



8. WHAT IS ALREADY BEING DONE? - 163 



I international co-operation." To achieve these goals, the signatories 
In establish certain substantive offences in their laws which apply In 
:r crime. Although malware is not per se fnentioned in the 
.ion among the illegal activities that signatories must criminalise, it 
ictly covered under closely related listed crimes including illegal 
i information systems, computer data, and computer- related fraud. 4 

Convention encourages a more coherent approach in the fight 
L'ybcr attacks. It also includes provisions for a 24 hours per day, 7 
r week online crime-fighting network and facilitates public-private 
hips. The Convention also provides extradition and mutual legal 
m treaties' provisions between signatories where none exist. 

late, the Convention has been ratified by 21 countries and signed by 
ional countries (Council of Europe. 2(101). Some companies in the 
sector have taken some initiatives to help ensure a larger impact of 
mention's principles. 15 

on and response 

iy countries have a watch, warning and incident respon.se function in 
i of a CSIRTs or CERT. It is important to recognise that not all 
and CERTs are alike. Some are public entities residing in the 
lent structure, some are publicly and privately funded entities with 
mandates and still others are associated with academic 
)ns."* It is widely accepted good practice that governments develop 
nt a CSIRT or CERT with national responsibility. 1 1 

>ome cases, entities within a country are required to report 

e them. In some cases this entity is a CSIRT/CERT. Fo/examplc. In 
it is obligatory that significant violations of information security, 
nil disturbances in public telecommunications be reported to the 

CSIRT of Finland, CERT-FI. ,B One example of a "significant 
i" is considered activation of malware in telecommunication service 
s' own systems". In order to fulfil this regulation for external 

reporting, the telecommunications service provider must have 
3 internal processes for detection and reporting of as well as 
/ from information security incidents and threats. This model has 
ccesslul in I inland because the government has proven to the 



ALREADY BUI NCI 1X1NH.' 



ic United Slates, all civilian government agencies are required to 
iformation security incidents to US-CERT. 1 ' 1 In both Finland and the 
itates a standard incident report form is provided. 

tional initiatives 

of Incident Response Security Teams (FIRST) 

ST brings together a variety i>f computer security incident rcspon.se 
(CSIRTs) from government, commercial, and educational 
itions in 37 countries. FIRST aims to foster co-operation and co- 
nn in incident prevention, to stimulate rapid reaction to incidents, 
iromote information sharing among members and the community at 
Membership in FIRST enables incident response teams to reach 
)arts in other countries that can help them to more effectively 
to security incidents. 

\cific CERT (APCERT) 2 ' 

~ERT is a contact network of computer security experts in the Asia 
region established to improve the region's awareness and 
:ncy in relation to computer security incidents. APCERT works to 
co-operation on information security, facilitate information sharing 
mology exchange and promote collaborative research on subjects of 
to its members. APCERT also works co-operatively to address legal 
elated to information security and emergency response across 
boundaries. 

■ian Telecommunication Union 

Caribbean Telecommunications Union (CTU) has been involved in 
lopmenl of an Internet Governance Framework for the Caribbean on 
>f the Caribbean Community (CARICOM). The CTU has held 
.ignilicant Internet Governance forums at which delegates raised the 
establishing a Caribbean Computer Emergency Resource Team 
for timely detection of security incidents in regional computer 
s, their proper handling and post-detection activities. There is now a 
body of 1CT practitioners who have expressed the need for a CERT 
tablished for the Caribbean. In response, the CTU will be engaging 



8. WHAT IS ALREADY BEING DONE? - 165 



'■opean Government CERT Group (EGG) 

EGC 22 group is an informal group of governmental CSIRTs that is 
ins: effective co-operation on incident response matters between its 
s. building upon the similaril\ in constituencies and problem sets 

governmental CSIRTs in Europe. To achieve this goal, the EGC 
s jointly develop measures to deal with large-scale or regional 

security incidents, facilitate information sharing and technology 
e relating to IT security incidents and malicious code threats and 
tilities, share knowledge and expertise, identify areas of 
alive research and development on subjects of mutual interest, and 
ge formation of government CSIRTs in European countries 

>ordtnation Council CERT (GCC CERT) 

Z CERT aims to supervise the establishment of national response 
] Saudi Arabia, the United Arab Emirates, Qatar, Bahrain, Kuwait 
an. 

jrce CSIRT (TF CSIRTf 

activities of 'IT CSIRT are focused on Europe and neisihbiiiirinj! 
s, in compliance with the Terms of Reference approved by the 
A Technical Committee on 15 September 2004. TF CSIRT provides 

for the European CSIRTs to communicate, exchange experiences 
\vled;]e, establish pilol sen ice-., anil nsMst llle establishment of new 
. Other goals of the TF CSIRT include: 

To promote common standards and procedures for responding to 
security incidents. 

To assist the establishment of new CSIRTs and the training of 
CSIRTs staff. 



einent 

ic structures 

er EU legislation the provisions detailed on the next page may he 
1 by administrative bodies and/or criminal law authorities. Where 



Al.RlIADY lti;iMi doni: 



;igelher Ihc technical unci investigative .skills of differcnl agencies, 
ation protocols are needed lo cover such areas as exchange of 
lion and intelligence, contact details, assistance, and transfer of 

le United States, both the Federal Bureau of Investigation and the 
scret Service have authority to investigate ma] ware crimes in 
i of the Computer Fraud and Abuse Act (Title 18, United Stales 
ection 1030). Violations of" Ihe Computer Fraud and Abuse Aci are 
:ed in US federal courts by the US Department of Justice, through its 
nney's Offices and the Criminal Division's Computer Crime and 
ual Properly Section. The US Department of Justice also prosecutes 
:-relaled crimes such as criminal violations of the CAN-SPAM Acl 
I, United States Code, Section 1037), access device fraud (Title 18, 
Stales Code, Section 1029) and Aggravated Identity Theft (Title 18, 
itates Code, Section 1028 A). 

tional mechanisms 

;ous international forums focusing on security, privacy or consumer 
)n issues, devote substantive efforts to tackle the mullilaceled nature 



ntact Network of Spam Authorities (CNSA) 24 

the initiative of (lie European Commission, an informal group was 

i ii ■ .h.i I ■ Il< .1 ': ■ I ■ ■ . IH I 

13 of the Privacy and Electronic Communication Directive 
/EC called the Contact Network of Spam Authorities (CNSA). In 
■iA, information on current practices to light spam is exchanged 
National Authorities, including best practices for receiving and 
! Complaint information and Intelligence and investigating and 
ng spam. The CNSA has set up a co-operation procedure thai aims 
late the transmission of complaint information or other relevant 
nee between national authorities. The CNSA has drawn up a co- 
n procedure lo facilitate cross-border handling of spam complaints 
orking on the issue of spyware and malware. 



8. WHAT IS ALREADY BEING DONE? - 167 



icludes almosl 50 countries, was created anions; the CIS countries in 
address the iiiml) lic challenges lhal high-lech crime investigations 
law enforcement. The 24/7 Network is designed to supplement (but 
ace) Iradilioual inulual leual assistance frameworks h\ providing a 
sin to facilitate the preservation of electronic evidence. The 24/7 
; has been instrumental in preserving evidence in hacking, fraud, and 
crime investigation and for providing training on topics such as 



I 

rpol" is an international police organisation with a mission to 
or combat international crime. Interpol has decentralised its 
me expert teams around the world through the establishment of 
Working Parties on Information Technology Crime for Europe, 
.merica, Asia, South Pacific, and Africa. 2 ' 1 Interpol's European 
1 Party on Information Technology Crime (EWPITC) has for 
: compiled a best practice guide for experienced investigators from 
jrcement agencies." 7 It has also set up a rapid information exchange 
jnder an international 24-hour response scheme, listing responsible 
within more [ban 101) countries. This scheme was notably endorsed 
IS 24/7 HTCN. 

, Action Plan (LAP) 28 

purpose of llie I .ondon Aclion Plan is lo promote international spam 
nent co-operation and address spam-related problems, such as 
■and and deception, phishing, and dissemination of viruses. The LAP 
participation from government, public agencies, and the private 
om over 27 countries. 

:ional Consumer Protection Enforcement Network (ICPEN) 

lnleniatioaal Consumer Prolection and Enforcement Network 
) is a network of governmental organisations involved in the 
Trent of fair trade practice laws and other consumer protection 
s. ICPEN was founded in 1992 by 20 countries and in co-operalion 
OECD and the EU; the network now has 29 participant countries. A 



Al.RlIADY lti;iMi doni: 



;rs face in conducting cross-border transactions for goods and 
. 1CPEN co-operalion does not include the regulation of financial 
and product safety and it does not provide a platform for the 
nent of specific redress for individual consumers. 

EN lias established several working groups including: The Mass 
tig Fraud Working Group, Best Practices Working Group, 
[itch Working Group that covers some of the issues associated with 
:. In addition, their Internet Sweep initiative seeks to find and 
e fraudulent and deceptive Internet sites. 

tion 

le malware is rarely mentioned as such in legislation, malicious 
s that use malware are often covered by numerous existing areas of 
uding criminal law. consumer protection law. data protection law. 
munication law, and anti-spam law. A survey by the OECD Task 
i Spam at the end of 2004 indicated that most OECD countries have. 
List lew years, set up a legislative framework in order to light spam 
' apply to malware in some cases. 

le European Union, under the e-Privacy Directive and the General 
Xeetion Directive, national authorities have the power to act against 
■wing illegal practices: 

Sending unsolicited communications (spam). 

Unlawful access to terminal equipment: either to store information - 
such as adware and spyware programs - or to access information 
stored on that equipment. 11 ' 

Infecting terminal equipment by inserting malware such as worms 
and viruses and turning PCs into botnets or usage for other 
purposes. 31 

Misleading users into giving away sensitive information such as 
passwords and credit card details by so-called phishing messages.' 
Some of these practices also fall under criminal law. including the 
framework Decision on attacks against information systems.'' 
According to the latter, Member Slates have to provide for a 
maximum penallv oi al least Ihree years imprisonment, or five vears 



8. WHAT IS ALREADY BEING DONE? - 169 



prohibit the pie venting or hindering access to a programme or dala 
held on a computer, or impairing the operation of any programme or 
data held on a computer. The law also increased the maximum 
penally lor such cybercrimes from five to ten years and refined the 
definition of computer abuse to cover denial of service attacks. 

Germany's August 2007 anti-hacking law, making hacking ", 
cteni al -ol -service, and computer sabotage attacks on individuals'' 
illegal. The provisions extend criminal liability to the intentional 
"preparation of criminal offences" by producing, distributing, 
procuring etc. of devices or data designed for such purposes. 
Offenders could lace sentences of up to ten years in prison for major 
offenses. 

The United States Congress is considering legislation that would 
create a law that would establish that the use of spyware to collect 
personal information or lo commit a federal criminal offense is a 
federal crime. If passed by and signed into law, it would authorise 
the appropriation of USD 40 million for the prosecution of 
violations of the new law from 2008 to 2011." In addition, the US 
Federal Trade Commission (FTC) has actively pursued spyware 
companies using its authority under Section 5 of the FTC Act. The 
FTC has brought 11 law enforcement actions during the past two 
years against spyware distributors. These actions have reaffirmed 
three key principles. First, a consumer's computer belongs to him or 
her, not the software distributor. Second, buried disclosures about 
software and its effects are not adequate, just as they have never 
been adequate in traditional areas of commerce. And third, if a 
distributor puts an unwanted program on a consumer's computer, he 
or she must be able to uninstall or disable it. 

private structures 

ic initiatives 

ia: Internet Security Initiative 1 " 
Australian Internet security initiative, administered by the 



ALREADY BUI NCI 1X1NH.' 



initial trial <>l the Austral ian Internet Security Imitative commenced 
:mber 2UU5. with participation of six Internets service providers 
[Tie trial highlighted that the vast majority of customers are unaware 
ir computers are infected by inalware ami are grateful for the 
:e in making their computer secure. Since the trial commenced the 
Iihitistrx Spam Code nj 1'nii.licc I a Code for Internet imd Ijnad 
Providers has come into effect (16 July 2006). The code 
nents the Australian internet security initiative, as it contains 
ns that enable ISPs to disconnect a customer's computer if the 
is not resolved by the customer. 

States 

example of public-private-partnership in the US is in critical 
icture protection, under the National Infrastructure Protection Plan 

managed by the US Department of Homeland Security. The 
irk under the NIPP includes a government entity ("Government 
ating Council", GCC) made up of government agencies and industry 
("Sector Coordinating Council", SCC) in each of the determined 
infrastructure sectors, including the Information Technology and 
nications sectors. The NIPP is a framework for assessing and 
ig the risk to each of the sectors, including threat, vulnerabilities, 
sequences. 411 

ther example of public -private domestic co-operation is the US 
jARD programme to improve and extend information sharing 
private industry and the government, including law enforcement, 
ts to critical national infrastructure. 

illy, the US National Cyber-Forensics and Training Alliance, is a 
rtnership between law enforcement, academia, and industry that 
ates on cybercrime issues. The Alliance facilitates advanced 
. promotes security awareness to reduce cyber-vulnerability, and 
* forensic and predictive analysis and lab simulations. 41 

tionat initiatives 

I of Europe/Microsoft 



8. WHAT IS ALREADY BEING DONE? - 171 



.ishing Working Group 

Anti-Phi shing Working Group (APWG) is a volunteer-run 
lira of industry and law enforcement focused on eliminating Ihe 
.roni phishing. pharming and e-mail spooling of all types. The 
has over 2 600 members including 1 600 companies and agencies as 
national and provincial law enforcement. It provides a forum to 
■ phishing issues, define the scope of Ihe phishing problem in terms 
i, and share information and hest practices for eliminating the 
. 43 The APWG wehsite provides a public resource for reporting 
; attacks. When phishing is reported, the APWG analyses the 
lion provided and adds il to its online phishing archive. The APWG 
arks to share information about phishing attacks with law 
nent when appropriate. In addition to phishing, the APWG tracks 
phased Trojans, keyloggers and other malware. 

ing Anti-Abuse Working Group 44 

Messaging Anti-Abuse Working Group is a global organisation 

: goal of enhancing user trust and confidence, while ensuring Ihe 
bility of legitimate, messages. With a broad base of Internet Service 
-s (ISPs) and network operators representing over 600 million 
es, key technology providers and senders, MAAWG works to 
messaging abuse by focusing on technology, industry collaboration 
lie policy initiatives. 

3ft 's Botnet Task Force 

lugh its international Botnet Task Force, first held in 2004, 
ft provides training to law enforcement officials from around the 
vho have been confronted with the task of investigating Botnet 
Charney, S., 2005). 

ink 

hTank is a free community site where anvone can submit, verify. 



ALREADY BUI NCI 1X1NH.' 



lyware Coalition (ASC) 

ASC is a "roup composed of anli-spyware soil ware com panic.-., 
cs, and consumer groups which focuses on the development of 
I definitions in relation to spyware. On 25 January 2007, ASC 
:d working documents on best practices 41 aimed to detail the process 
h anti-spyware companies identify software applications as spyware 

pole n li ally Lin wanted technologies. 

sector partnerships 

example of private sector parlnerships in Ihe United States is the 
and continued development of the Information Technology 
lion Sharing and Analysis Center (IT-ISAC). The IT-IS AC is a 
community of security specialists from companies across Ihe 
tion Technology industry dedicated to protecting the Information 
ogy infrastructure that propels today's global economy by 
ng Ihreals and vulnerabilities to the infrastructure, and sharing best 
i on how to quickly and properly address them. 46 

rds and guidelines 

of Electrical and Electronics Engineers (IEEE) 47 

IEEE is a non-profit organisation for the advancement of 
igy. Through its global membership, the IF.F.F. is a leading authority 
:as ranging from aerospace systems, computers and 

ics among others. Members rely on the IEEE as a source of 
1 and professional information, resources and services. The IEEE is 
g developer of standards for telecommunications and information 

>gy> 

tional Standards Organisation (ISO) 

International Organization for Standardization (ISO) is a worldwide 
)n of one national standards bodies from more than 145 countries. 
1 non-governmental organisation established in 1947 and based in 



8. WHAT IS ALREADY BEING DONE? - 173 



ie activity. ISO's work results in international agreements which are 
:d as International Standards and other Ivpes of ISO documents. 

le relevant ISO/IEC standards include the following: 

ISO/IEC 17799:2005 Information technology - Security techniques 
- Code of practice fur informal ion .security management. 

ISO/IEC 19770-1 Software Asset Management: Are You Ready ? 

une 2007, the ISO and IEC joint technical committee (JTC) 1 
nittee <SC) 27 proposed a new work Item on "Guidelines for 
:urity (27032)". 4 This standard would provide comprehensive 
es on cybersecurity 4 ' ) to both service providers and users 
ations and end users) and, in particular address behavioural, 
iiionul and procedural issues. More specifically, it would offer 'best 
' guidance in achieving and maintaining security in the cyber 
nent for audiences in a number of areas, and address the 
lenl for a high level of co-operation, inlornialion-sharins; and joint 
i tackling the technical issues involved in cybersecurity. This needs 
lie ved both between individuals and organisation!, ai a national level 
rnationally. 

// Institute of Standards and Technology 

ided in 1901, N1ST is a no n -regulatory federal agency within the 
artment of Commerce. NIST's mission is to promote US imioval ion 
Llustrial competitiveness by advancing measurement science, 
Is, and technology in ways that enhance economic security and 
quality of life. In November 2005, NIST published the Guide to 
■i incident Prevention and Handling as NIST Special Publication 
)-83. 5 " 

Wide Web Consortium 

World Wide Web Consortium (W3C) 51 is an international 
urn where member organisations, a full-time staff, and the public 
gether to develop web standards. W3C's mission is "To lead the 
Vide Web to ils full potential by developing protocols and guidelines 
.ire long-term growth for the Web." 



Al.RlIADY lti;iMi doni: 



cal solutions and resources 

domestic initiatives 
Cyber Clean Center (CCC) 

006, the Japanese government began a project to reduce the number 
i fee tod computers in Japan with the objective of preventing spam e- 
d cyber attacks in Japan. To accomplish this, Japan has created a hot 
tool known as *'CCC cleaner" which can be downloaded free of 
itnow.ccc.go.jp. 

cut results from the project include 31 000 trapped hot programmes 
lique) and I 300 hot programmes reflected in the removal tool. To 
total of 57 000 users in Japan have downloaded the removal tool, 
ps for enhancing the project could include changing [he composition 
/pots and broadening the reach of ISPs. 

- Automated Security Update Programme (ASUP) 

reduce the damage from vulnerabilities in Microsoft Windows, 
Internel Security Center (KrCERT/CC) and Microsoft Korea 
ated to develop and deploy the Automated Security Update 
ime (ASUP) to home and SMR users. The programme seeks to make 
net connected information systems install Windows security related 
without user intervention once they have installed ASUP. When 
sit major Korean websites, such as portals, online game sites, a 
vindow appears in the screen to confirm the installation of the 
While offering the same functionality as Windows automatic 
ASUP allows users to just click once to approve ASUP installation 
having to modify the configuration of Windows updates. 
ft Korea has distributed the programme in accordance with 
■ti headquarters centralised patch policy, balancing user convenience 
ipany's philosophy on security. 

le System 

sinkhole system works to prevent hots from connecting to botnet 
id and control (C&C) servers by subverting the IP address of the 



8. WHAT IS ALREADY BEING DONE? - 175 



As shown in Figure 8.1, alter the adoption of this sinkhole system in 
le botnet infection rate of Korea lias reportedly dropped to almost 
d at the end of 2005. compared with that of January or February 



Figure 8.1 Botnet infection rate of Korea (2005-2006) 




ider 

additional countermeasure used by KrCERT/CC is the 
citation of MC Finder which locates malware on compromised 
;. MC Finder identifies an average o! 500 exploited websites every 
n Korea. KrCFRT/CC is sharing the malware patterns with (ioogle 

iv effective technical solutions and resources have been developed 
aL threats relating, directly or indirectly to malware. Some examples 
solutions and resources include the following: 

i Name System Security (DNSSEC) 



Ai.miADY iti;iMi dike: 



.ignalures lo authenticate DNS information. Many countries are 
to deploy DNSSLC at the ccTLD. for example. Sweden, fiuk'.aria. 
irto Rico have moved their country code TLDs to DNSSF.C; 
", it is important lo have government, business, hanking, and registry 
ttion to successfully implement DNSSEC. There are currently 
experimental tests of secure DNS zones. It is recognised that 
C will not eliminate all misuse of the DNS. Some consider that it 
eal private information from DNS databases and therefore pose legal 
;es for deployment in some countries. 

i level authentication 

ii. in i k- .1 .inlli-. i.lK.ir...n . . .1 1. 1... ii. . I.. _n.i1'l. .i fm-.'-n.: I n'H 

/ that an e-mail message actually came from the sender's purported 
In other words, if a message claimed to be from abc@ftc.gov, the 
narket authentication proposals would authenticate that the message 
om the domain "ftc.gov", but would not authenticate that the 
: came from the particular e-mail address "abc" at this domain, 
ilically, if a phisher sent e-mail claiming to be from citibank.com, 
^nge would be filtered bv ISPs because the message would not have 
am a designated Citibank mail server. Consequently, ISPs and other 
s of receiving mail servers could choose to reject unauthenticaled e- 
iubject such messages to more rigorous filtering. 

Itering 53 

:ring is the most common Technical anti-spam technology. The main 
of filters are the ease of implementation and the flexibility that users 
deciding which messages should be treated as spam. Heuristic filters 
that users specify criteria, such as keywords or a sender's address 
1 prompt the filter to block certain messages from reaching the 
;r's inbox. Spammers who deliberately misspell words or spell them 
erenl language easily outsmart Ihe keyword approach. More recent 
:arn based on experience. They create statistics about each user's 
:s in a recognition table for future reference to distinguish between 
nl legitimate mails. The filter then lets through only messages that 
; the user's previous legitimate mail. 



8. WHAT IS ALREADY BEING DONE? - 177 



•n Vulnerability Exposure (CVEf 4 

i is a dictionary of standardised names for vulnerabilities and other 
tion security exposures freely available to the public. The goal of 
to standardise the names for all publicly known vulnerabilities and 
exposures. CVE is a community-wide effort sponsored by the US 
nent. 

•n Malware Enumeration ( CME) 5S 

Li. provides single, common identifiers lo malware threats in the wild 
e public confusion during malware incidents. CME is not an attempt 
;e the vendor names currently used for viruses and other forms of 
:, but instead aims to facilitate the adoption of a shared, neutral 
• capability for malware. 

i. Engineering Tn.sk Force (IETF) 

Internet Engineering Task Force (IETF) is a large open international 
lity of network designers, operators, vendors, and researchers 
sd with the evolution of the Internet architecture and the smooth 
n of the Internet. The actual technical work of the IETF is done in 
.ing groups, which are organised by topic into several areas {?.g. 
transport, security, etc.). Much of the work is handled via mailing 
e IETF holds meetings three limes per year. 

Vide Web Consortium 

World Wide Web Consortium (W3Cf' is an international 
urn where Member organisations, a full-time staff, and the public 
gether to develop weh standards. W3C's mission is "To lead the 
Vide Web lo i(s lull potential by developing protocols and guidelines 
ire long-term growth for the Web." 



Ai.mi.ADY iti;iMi dike: 



Notes 



x http://cme.mitre.org/data/list.html - it is difficult to know whether 
tlckiy in assigning CMC references is a result of political problems 
ih l he project, a lack of co-operation from vendors, or attacks becoming 
.>re targeted and therefore falling outside the original scope of malware 
nl CME addresses). Some experts consider that tracking malware 
nsistently across the industry is as large a problem as it was Several 
ars ago or even greater today due to the significant increases in the 
mber of in-the-wild samples. Therefore, the problem of common 
.ilware identifiers is an issue that could still need to be addressed 
ac tie ally. 

:e "Instruments, Structures and Initiatives that Address Mill ware" 
te revised ESNA can be found at 

vw.dbcde.gov.au/_data/assets/pdfJilemil/71201/ESNA_PubUc_Poli 

_Statementpdf. 

formation available at 

vw.dcila.gov.au/eoninuinicalions_iind .lcc!tiialo«\/pithlicatioii$_and_re 

formation available at www.nelalert.gov.au. 
formation available at 

<p://ec. europa.cn/mjonitulion_sth-iclx/af !ivilii's/sip/iude.x_en.htm. 
formation available ill www. geIsateonHne.org/. 

:tSafe at www.netsafe.org.nz is an initiative of the Internet Safety Group 



8. WHAT IS ALREADY BEING DONE? - 179 



formation available at www.teenatigels.org/index.html. 
>uncil of Europe (2001), Articles 2, 3, 8. 

2006, Microsoft offered a substantia] contribution to the Council of 

ie European Network and Information Security Agency (EN1SA) 
ovides a comprehensive directory of CSIRTS/CERTs in Europe at 
vw.enisa.europo.cu/i'Ci'i inventory/index tnvetttory.htm. 
2006, CERT/CC began hosting an annual meeting of CSIRTs with 
lional responsibility; sec 

vw.cert.org/cm-n/nalumid/eonfercncc20Q7.html They also keep a list 
CSIRTs with national responsibility at 

vw.cen.org/csirts/nationaVcontact.html 

nnish Communications and Regulatory Authority (FICORA) 9 B/2004 
; available online ai 

v-w.ficora.fi/attachments/englanti/n564H9W8i98/Files/CurrentFile/FI 
7RA09B2004M.pdf. 

deral Information Security and Management Act IFISM A i, 
\-w.pearts\v.ciim/resotirccs/tx]!cns/C>Xil'>Rcip<i rctiicnls.pdf. 
.■ailable online at www.first.org. 

^CERT website www.ttpccrl.oig/al/oitl/* trite tit iT/iitcnihers. him. 

jC members include: Finland - CERT-FI, France - CERTA; Germany 

CERT-Bund; Hungary - CERT/Hu; Netherlands - GOVCERT.NL; 

Drway - NorCERT; Sweden - SITIC; Switzerland - SWITCH-CERT; 

lited Kingdom - UNIRAS/NISCC. 

formation available at www. terena.org/activities/tf-csirt/. 

formation available at liiip://siopspfiitttdliatiee.org/?page_id=lI. 

Icrpol includes 186 member countries, 

YW.iiiierpoi.iiti/pithiie/it ■pu/dcfuultasp. 

formation available 
.vww.ittierpol.iiti/Piihl'u /Tethnuh ig\-Criiiie/\\'tirkittgPartie>./Defiiit!i.ii%p 

ic Information Technology Crime Investigation Manual. This manual is 
smally available via Interpol's restricted website, 
formation available at www.iondonartionplan.com. 



tropean Union (2005). 

iroduccd inio UK law in November 2000. 



law defines hacking us penetrating a computer security system and 
ling access to secure data, without necessarily stealing data, 
iting law already limits sabotage 10 hasincsses and public authorities, 
igressiona! Budget Office Cost Summary (2007) p. I, 



vw.acma.gov.<tttAYL/i/SIA:\l)AIU>//iic = PC_t00882. 

te following ISPs have now also joined the initiative: Access Net 

.istralia: A U, STAR act , Bckkers. Chariot, iiael, O/.Eimail. I'owcrap. ihug, 

:Net, Intemode, Agile. Neighhourliood Cable, il'rimus, I'rimusonlinc, 

5tkcy, AOL, Reynolds Technology, Riverland Internet and Soul. 

W NIPP is available at 

vw.dhs.gov/xprevpmt/programs/editorial_0827. shtm. 

nek, hut in addition redirects users from an authentic website^from a 
nk for instance) to a fraudulent site that replicates the original in 
pcaranee. When a user connects its computer to, lor instance, a bank 
;b server, a hostname lookup is performed to translate the bank's 
■main name (such as "bank.com") into an IP address containing a series 
[lumbers I such as 1 L )."o 1 ,65.37). It is during [hat process thai malicious 
tors will interfere and change the IP address. See OECD (2008b). 
formation available at www.untiphixhing.org/index.html. 
formation available at www.maawg.org. 

formation available at 

vu\aittispywinx'rr/tdilit>n.i>nj/ili>titiih'i>l<;/ISi'stPrtttlit-es.htm. 
formation available at http://www.it-isac.org. 
formation available at www.icee.org. 

lis work item is still in a development phase as of April 2008. For more 

<p://^<ur.iso.org/livelinWvelink/fetcmOOO/2122/327993/755080/1054 

4/254 /793/JTC00I-N-8620.pdf?nodeid=6542097&verni,m=0. 

t defined by the proposed standard, cybersecuriiy refers to "the 



formation available ai http://<-sn\msi.^in7)niNi<-i:iii'^>./iii\ip}ib\/H(lii- 
7SP800-83.pdf. 

formation a\ nilable at www.w3c.org. 

jring the installation of Windows XP, users are asked to specify the 
King of Windows Updates (Use Automatic Windows Updates or Notify 

-CERT/CC developed the AUSP programme with Microsoft Korea P Just 
■ installing the ActiveX control, users get protection from system 
lnerabilittes. 
:e OECD (2006). 

formation available at littp://cyi'.milrc.<irg/. 
formation available at http://cme.mitre.org. 
formation available at www.w3c.org. 



9. POSSIBLE NEXT STEPS - 183 



Chapter 9. Possible Next Steps 



: book has only begun to lay the foundation for understanding the 
: phenomenon and how it is evolving. Further work in many areas 
id should be done to reach a heller understanding. Fidiling null ware 
lex and would benefit from more comprehensive measurement, co- 
in and policy solutions. While many ongoing initiatives are 
ling, important resources to combating malwarc. (here remain a 
of areas for improvement. 

Inership against malwarc 

: need for a consistent approach to a global problem is not new, but 
■ presents particular complexities due to the wide variety ol actors 
pnnsihililv tor combating muhvare. The communities involved in 

malware, whether governments, businesses, users, or the technical 
hty. need to improve their understanding of the challenges each of 
ices and co-operate - within their communities and across 
lities - to address the problem. Furthermore, their co-operation must 

the global level. It is not enough for one country or one community 
ively self organic if others do not do so as well. 

ight of the need for a holistic and comprehensive approach to 
:, a common point of departure from which to build co-operation and 
'e action could be to launch at the international level a global "Anli- 
; Partnership" involving government, the private sector, Ihe 
I community, and civil society. Such collaboration across the 
communities involved with lighting malware could benefit from the 
ice gained from developing the OECD's Anti-Spam Toolkit. 

erenl iiUeriialiiHi.il publk and private organisation:, including the 



;ni;xtste;;>s 



iprovement and further exploration 

;ifieally. the "Anti-Malware Partnership" could examine the 
ig elements: 

ve prevention strategies 

: element could examine all or part of the following: 

Reduction of software vulnerabilities {e.g. secure software 
development could he encouraged; governments could maximise 
their influence as buyers of software by requiring more secure 
soli ware products lis part of their procuremenl process i. 

legibilities can be discovered by researchers either in the private 
i academia or by malicious actors with a motive for profit, or to 
a targeted attack tor espionage or other purposes. Most vendors" 
the use of 'responsible vulnerability disclosure' practices in which 
ers inform the vendor about newly discovered software 
lilities and delay public disclosure to an agreed time to allow the 
ime to develop an appropriate software fix (patch). 



tie behaviour by researchers could lie promoted, for example by 

? the affected company first rather than going public before a solution 

le. 



hing is one way to mitigate against malware, but it is a reactive 
. Building security into the process for developing software would 
: a more effective and comprehensive long-term solution. Software 
■ be developed correctly the first time to minimise the occurrence of 
defects. The time frame between the discovery of a vulnerability 
lime of its exploitation is shrinking. 



' efforts conk! be made to develop software that resists compromise 
lyered protections and separation of privileges. The use of security 
■didation methodologies for software products could also be promoted, 
propria te. 



9. POSSIBLE NEXT STEPS - 185 



mts could encourage the building of security in the development and 
n of software. They could also kike advantage of their procurement of 
Vj foster the development of more secure software products. 



Awareness raising and education {e.g. further efforts should be 
made to improve online users awareness of the risks related to 
malware-, and of the measures they should take to enhance the 
security of their informal ion .systems). 

iv websites and resources exist to help end users and SMEs secure 
ormation systems hut few of those programmes specifically address 
lain the problems of malware." Also, the number of resources can be 
:lming to users as information and guidance can vary from entity to 
airthermore, some advice is inconsistent and may be inadequate in 
with the rapidly changing nature of the threat. For example, advice 
>lies that the only necessary conn termeas ure is keeping one's anti- 
tches up to date is inadequate. 



'.i efforts could continue to strive to provide information in plain 
so it can he understood hx oil participants, particularly those who have 
:> technical knowledge or understanding. Given the continually 
nature of malware. any awareness activities would need to be 
updated or revised so that they remain effective. This would help to 
tome users and SMfcs ' online behaviour and practices with a view to 
heir ability to protect themselves from malware. 



The possibility to include security and abuse management in 
registrar accreditation procedures and contracts. 

Standards mid guidelines {e.g. update of security manuals such as 
the IETF Security Handbook should he encouraged to include new 
challenges such as those presented bv malware). 

idards. guidelines and good practice are important tools for the 
community. Those that are specific to malware or targeted at 

lilies with responsibility to fight malware are particularly important 

re a comprehensive solution to the problem. For example, the 
Engineering Task Force's Security Handbooks which provide 

3 for ISPs and users could he revised and updated to account for the 



; M:XT STEM'S 



Research & Development (e.g. malware detection and analysis, 
security usability - how people interact with machines, software and 

le this report docs not attempt to examine Ihe activities of the 
community, it is important to recognise their importance in 
]i« malware. Both government and the private sector have a role in 
and conducting research and developmcnl (R&D) on a range of 
tion technology topics, including security risks. 



d private sector R&D pro^i-iiiiwws focused on the security of 
r>n systems and networks could tdso consider malware. 



ing the malware problem 

: element could examine and foster efforts to more accurately and 
:ly measure the existence and impacts of malware. 

iy entities track, measure and sometimes even publish data on their 
ice with malware and related threats. 4 However, vendors, CSlRTs, 
business community all have different data and ways of measuring 
gnitude of the malware problem and its associated trends, 
nore, there are many types of malware and little consistency of 
conventions in the technical community for identical types of 
While existing data is helpful in understanding parts of Ihe 
: problem, it is not easily comparable in real and absolute terms. 

irts should be made to more accurately and consistently catalogue, 
and measure the existence of, affects from and impact of malware. 

wlicies and practices 

.lis dala is an important resource for attributing iueidenls of malware, 
efore it should remain accurate and accessible to law enforcement. 5 
nore, malicious actors often abuse domain name registration 
such as K'ANN's "add-grace period" or the minimal in formal ion 
lents set out by some domain name registrars (DNRs), to avoid 
n by authorities. 



9. POSSIBLE NEXT STEPS - 187 



re are numerous DNRs lhal all have different policies and practices 
essing malicious online activity. for example. Ihere arc 250 country 
■p Level Domains jccTLD) in the world that sel their own policies, 
tiv not ncccssarih harmonised or co-ordinated. These different 
- ami policies may result in a different outcome each time a DN'R is 
take action against malware. 



ltd be encouraged to develop common codes ofprat. lice at the national 
lational levels in co-operation with oilier stakeholders. 



is the case with DNRs. there are thousands of ISPs that all have 
t policies and practices tor addressing malicious online activity. ISPs 
aps the best placed actors in the chain to help slop some types of 
: attacks, such as DDoS and botnets sending spam. 

le many ISPs are working to improve security policies, some tend to 
higher than average amount of malicious activity. These different 
i and policies may result in a different outcome each lime an ISP is 
j take action against malware, which impairs the ability to tight 
nalware in an effective and consistent manner. 



d be encouraged to develop common codes of practice at the national 
lational levels in co-operation with oilier stakeholders. 



ration for improved response 

; element could examine the following: 

Co-operation among CSIRTs (computer security incident response 
teams) (e.e. CSIRTs with national responsibility could share points 
of contact and work collectively to improve information sharing). 

Codes of practice (e.g. a common code of practice for ISPs could be 
developed at the national and global levels in co-operation with 
governments; likewise, a common code of practice for DNRs 
(domain name registrars) could he developed at the national and 
global levels in co-operation with ICANN, the Internet community 
as well as others, as necessary). 



; SLXT STEii'S 



•ith national responsibility could be encouraged to improve cross- 
formation sharing mechanisms for effective protection, detection and 
against malware. 



onal contacts within informal trust networks enable the security 
: community to, for example, get an ISP to quickly act on a case of 
here is not one informal network, but rather several, which may be 
ling. An ISP may approach a contact at a national CSIRT in another 
in order to get in touch with the relevant representative at an ISP in 
ntry. These contacts are reciprocal. They are also contacted about 
i their own network and are expected lo act on that information, 
a critical role as the first line of defence against attacks using 
Possibly one important role of a national CSIRT would lv lo also 
irmal Point of Contact (POC) for handling IT incidents affecting the 
tent and to receive requests for mutual assistance across 
ions. 



establish CSlRTs around the world amid continue, especially where 
7l exist at the government or national levels, and consideration could 
o designating them as the Point of Contact for national co-ordination 
tationai co-operation against malware. 



ed legal frameworks 

<ul regulations 

'national harnionisalion/inleropcvalion of cybercrime laws is 
I. Widespread adoption of the Council of Europe's Convention on 
me may be effective in this respect. While 25 out of 3(1 OliCI) 
countries have signed the Convention, only 9 of those 25 have 
ratified it. Furthermore, out of 21 APEC economies only 3, which 
Members of the OECD. have signed the Convention and of those 3 
kls ratified the Convention. The Convention provides a framework 
peration and is a general commitment to co-operate internationally 
:ybercrime. 



n to rati j viim the ( 'onncil of Eumpe \ ( '(invention on Cybercrime. 



9. POSSIBLE NEXT STEPS - 189 



hened law enforcement 

; element could examine the following: 

Government efforts to provide mutual assistance and share 
information for the successful attribution and prosecution of 
cybcrcri initials. 

Co-operation between CS1RT teams and law enforcement entities. 

.wees necessary for specialised cybercrime law enforcement 
; to be able to investigate and prosecute cybercrime in co-operation 
er concerned public and private stakeholders. Malicious, actors take 
l<z of (he fact that many countries do not have adequate legal 
irks/cybercri me laws and cyber investigation capabilities. They also 
■ tallage of the complex challenges faced by law enforcement and 
response when working outside their jurisdictions which are 
ned by geographical boundaries. Cross-border information sharing 
law enforcement entities is a critical element of investigating and 
:ing cyber criminals. While mechanisms such as the G8 24/7 
hue Network provide for points of contact among such law 
nent entities, it is unclear how such networks co-operate among 
/es. 

ause of the highly technical nature of mat ware, governments should 
;gular training lor judges, prosecutors and other law enforcement 

ng leads for law enforcement to investigate cybercrime. Mai ware 
is often conducted using methods such as hard drive imaging, "real- 
lorensics, antivirus testing, and reverse engineering (CERT 
atiou Center, 2007). In some cases these practices may not be 
d under laws that protect intellectual properl; . 



■'laws that prohibit reverse eni'iueenn^ mahviire could be considered 
forcement and research purposes, with uppmpriiiic safeguards for the 
i of owners of intellectual property. 



re may be tensions between the protection of privacy and actions to 
Iwarc. f or examnle. CSIRTs mav need to share information, such as 



; M:XT STEM'S 



example, dismantle bolnels and conduct investigation into the 
is activity. 



ection laws could be applied in a way dun does not prohibit the 

vith the appropriate safeguards, of IP addresses and other information 

t be necessary for fighting malware. 



cat measures 

; element could examine the following: 

Technical measures such as filtering, DNSSEC, sinkholing and 
many others could be examined to understand how they would help 

How users might he provided with better tools to monitor and detect 
the activities of malicious code, both at the time when a compromise 
is being attempted and afterwards. 

ware presents complex technical challenges and therefore solutions 
mating it need to be supported by technical measures, such as 
, which may be an effective way to minimise the amount of 
iate traffic on the network. Some examples of existing technical 
s and resources are provided in Chapter 8. 



fforts to develop and implement effective te< hnical solutions to delect, 
md respond to mahvare could he encouraged. 

>.ld be provided with belter tools to monitor and delect the activities of 
code, both at the lime where a compromise is bcin^ attempted and 



momics of malware 

; element could examine the following: 

How to strengthen existing security-enhancing incentives of market 
players. 

Introduction of security-enhancing incentives through alternative 



9. POSSIBLE NEXT STEPS - 191 



jcoiioinic perspective on malware would provide policy makers and 
ilayers with more powerful analysis and possibly a starting point for 
vernmental policies related to incentive structures and market 
ities. 

following could, for example, he topics for further exploration: 

Effectiveness and economic effects of assigning alternative forms 
and levels of legal rights and obligations (e.g. liability) to the 
different stakeholders. This would include legal constraints for ISPs 
to monitor and manage their networks (e.g. related to privacy, 'mere 
conduit', 'safe harbour' provisions). 

Infective ncss and economic effects of blacklisting on ISP and end 
user security. 

Effectiveness and economic effects of global measures to strengthen 
law enforcement and collaboration in the area of mal ware. 

Effectiveness and economic effects of technological solutions to the 
problem of malware (c.y. 'security moving into the cloud' and 
'tethered devices' for end users). 

Strength of reputation effects and other leedbacks in mitigating the 
problem of information security. 

Efforts to quantify the magnitude of the overall social cxternalitv 
due to lack of trust in the e-commerce system (growth effects, GDP 
impact). 

Better assessment of the strength of the trade-offs between usability, 
availability, functionality, performance, cost and security. 

Malware in next-generation networks and system architectures (e.g. 
more mobile. EoIP-e very thing over IP-networks, Web 2.0). 

Obstacles to and means to enhance incentives for information 
security of individual users. 



;NLXTSTf;PS 



co-ordination and cross-border co-operation 

; element could examine the following: 

The cross -culling need for information sharing, co-ordination and 
cross-border co-operation. 

Suggestions for disseminating the anti nialvvare guidance al the 
global level and following up on its implementation. 

of the previously mentioned areas for action illustrate the cross- 
need tor information sharing, co-ordination and cross-border co- 
ll. However, the communities of actors descrihed above do not 
/ollaborate in an effective manner to combat mahvare. Information 
and co-ordination among the private sector, the government and 
jkeholders is not always adequate to detect, respond, mitigate and 
u'opriate enforcement measures against mahvare. This can be at least 
attributed to the fact that no comprehensive international 
hip for collaboration against malware does yet exist despite the 
int work underway. (See Chapter 8 for examples of existing 
onal co-operation). 

nore holistic approach involving an integrated mix of policy, 
nal procedure and technical defences could be considered to ensure 
Jrmation shilling, co-ordination and cross border co-operation arc 
:ly integrated and addressed. 

:s can ensure that information 
co-operation are effectively 

success of such a global "Anti-Malware Partnership" would require 
tigageineni from all participants. Such an effort, however, would 
rale significant advances in the international community's ability to 
ic obstacles to addressing a global threat like malware through 
o-ordinated action. 




9. POSSIBLE NEXT STEPS - 193 



>es to government to end users. While malware often propagates 
the luternel. il is important to remember lhat it is software which 
introduced into Internet connected and non-Internet connected 

t systems. Malware whether used directly, or indircctlv. lo conduct 

is activity online erodes trust and confidence in the internet and the 

conomy. 

2002 OECD Guidelines for the Security of Information Systems and 

■ |>i<> vi.l- .1 l< i ■■< l-i - i.l .!■(. in. ill n ri pi... ill - I - In. Ii 

anl and applicable lo Ihe light against malware. The nine principles 
less. Responsibility. Response. Ethics. Democracy. Risk assessment, 

i .nip ii- -ii Vviiiii. iii.iii.i-:-iii-.ii ti~ , ;■(■•■. ni-nn 

participants al all levels, including at the policy and operational 
'lie Guitk'tiiK's can and should be applied lo the challenges raised by 
: today. 

rapidly evolving nature of malware makes international co- 
n essential to addressing the problem. This co-operation should be 
:d and enhanced by accurate and quantitative measurement of the 

and the underlying economics at play. While this paper details 
" Ilk' pn iblcms presented bv malware. il is only a I'irsl step in moving 

a solution. A holistic and mill ti -slake holder proactive approach is 
to take advantage of all opportunities for improvement across the 
eommunilies addressing malware. 



; SLXT STEii'S 



Notes 



formation available at www.w3c.org. 
I an example, Microsoft is one. See 

vw.micmsaft.ct»u/tc<:hi:.c!/< oiiimititiivA olimin^i'i ntyul/defiudl.inspx. 

dustry organisations, such .is APACS. have rtrpt^nuU no reduction in the 
Jt[ of phishing due to awareness campaigns and public figures 
flighting the problems and scale of the attack- APACS (20061 
.iliietLibditv and threat assessment of authentication mechanisms used 
r Internet based financial services - 20(16 review, page 3 and 4. 

■e Annex A, Background Data on Malware, 

vil liberties groups have recommended that ICANN limit the use and 
ope of ihe Whois database lo its original purpose and to establish its 
■licics based on internationally accepted data protection standards, 
iblic availability of Whois data may also conflict with the EU Data 
otection Directive, which limits access and collection rights to the 
tabase's original technical purposes. 



ANNEX A. BACKGROUND DATA ON MALWARE - 195 



Annex A. Background Data on Malware 



iough malware as we know it today is a relatively new phenomenon 
:cl to the early days of worms and viruses, it is growing and evolving 
sssive rates. Trends in data show that while the categories of 
: used to conduct malicious activity (i.e. virus verses Trojan) change 
Ive overtime, the use of malware is steadily increasing. 

iputer Security Incident Response Teams (CSIRTs) or Computer 
icy Response Teams (CERTs). software and anti-virus vendors, and 
Merally security companies are examples of entities that track and 
Ihc existence of malware. While Lfie data provided below is helpful 
TManding elements of the malware problem, it is not easily 
ible in real and absolute terms and thus this paper does not attempt 
comparisons or draw conclusions across disparate sets of data. This 
is primarily intended to demonstrate the type of information 
; and different analytical perspectives from the organisations listed 



ed by CSIRTS 
RT 

CERT is the national Computer Emergency Response Team for 
a. AusCERT provides computer incident prevention, response and 
>n strategies for members. 

is: Lire A.l. each incident represents a single unique URL or domain 



SACKOROUND DATA ON MALWARE 



mi data. The number of IP addresses associated in a single incident 
igle attack is variable but can range from I to around 100. 



ure A.l Online ID theft Trojan incidents handled by AusCERT 







































* J* J* / <?* / s 5 * J? £ / / / / 





AusCl-.RT(2(K)fi). 



ire A. 1 does not include specific compromised hosts involved in any 
ttack or incident - only URLs and domain names. Nor does this 
ie number of computer infections (compromised hosts) that occur 
ach attack of which there are generally many hundreds or thousands. 

high figures for July 2007 are due to the storm Trojan (often 
tly referred to as a worm). It does not automatically propagate and 
bolncl C.&C functionality, inter alia. 

Brazil (CERT.BR) 

iT.br is a national CERT which collects public statistics on the 
s that are reported to them voluntarily. For example, a home user 
)rt when he/she received an e-mail that is clearly a fraud attempt, 
nk to a malware executable. CERT.br tests to see if the executable is 
ine and then reports the occurrence to the host of the site. They also 



ANNEX A. BACKGROUND DATA ON MALWARE - 197 



Table A.l. CERT. BR Incident Reports 



Worm 1 



Total number of 
incidents 
reported 

75 722 42 268 

197892 I 109676 



B6 



448 



27 25 



rn: category are report recoi\ oil of w orin/hoi propagation, port scans of 
ports used by wonns/bols to propagate (44.1. 1*5. 5900, etc). These reporls are 
il by tire wall administrators and even home user using personal firewalls, etc. It 
It to note that the worm category does not try to count machines infected by 
t incidents regarding worm propagation attempts. 

n. according to C\ : . RT.BIi classification, is a system compromise - this is 
1 In 1 1 ic s\ - leu i om noi/adniinisaalo; am; i epoi :od li > CI :R T.li R. f-.'i o\ ample, a 
ver adminislratoi sends CLKT.BK a rcoorl saying bis/hci machine was 
led. a rootkit was found, etc. 

ud category refer to various fraud types: copyrigbl inrringeiiienls. credit card 
iiii'iial phi>l'.i:ig :uiii inah.vayi' related iiacd. 'Vac lasl one i> Ibe niajoriu rl die 



CC, United States 

Computer Emergency Response Team Coordination Center 
CC) at Carnegie Mellon University collects data on malware from 
ind private sources. Since 2006, CERT/CC has been collecting, 
g and cataloguing every piece ol" malware il is able to find that has 
itributed via the Internet or which otherwise has found itself onto 
■r systems. While many malware arte facts have similar functionality. 
.' is considered lo be a unique variant if il generates a unique MD5 or 
iash function. 1 Therefore, some types of self- propagating malware 

viruses and worms which produce many thousands ol identical 
would be counted as a single variant. 2 

ce the figures below from CERT/CC, while not necessarily 
e, are nonetheless significant in their depiction of malware trends, 
how an exponential increase in malware artefacts 1 from January 
March 2007. From less than 50 000 in January 2006, the total 
of artefacts rose to 350 000 in March 2007. as represented in Figure 
)w. For each month of the same period. Figure A3 represents the 



SACKOROUND DATA ON MALWARE 




ANNEX A. BACKGROUND DATA ON MALWARE - 199 



FI, Finland 

IT-FI is the Finnish national Computer Hmergencv Response Team 
ask is to promote security in the information society by preventing, 
ig, and solving information security incidents and disseminating 
iion on threats to information security. Figure A. 4 represents the 
indled by CERT-FI Abuse Autoreporter system, their auromaled 
ase processor. The graph is cases / month, normalised to 100 = 



A.4 CERT-FI Abuse Auto reporter monthly case processing volume 

(normalised 1/2006 = 100) 




T/CC 

DRT/CC sialhcrs data from honeynels and incidents reports, 
i 2005 and 200(i data from both incident reports and honeypols 
a decrease in the number of worms and an increase in the number of 
lorses from 2005 - 2006 (sec Figures A. 5 and A.6). 



re A .5 Incident reporting to KrCERT/CC by month (2005-2006) 




RT. Norwav 



ANNEX A. BACKGROUND DATA ON MALWARE - 201 



ian National Security Authority (Nasjonal sikkerhelsmyndighel - 
Figure A.7 Incidents handles by Nor CERT in 2007 




DoS,6.91% 



it'tware and anti-virus vendors 
it ion of payment 

iCS, the UK payments association, is a trade association for 
ms delivering payments services la end c us Ionic rs. ll enables l he 
i address co-operative aspects of payments and their development. Il 
he main industry voice on issues such as plastic cards, card fraud. 
, e-banking security, electronic payments and cash. Working Groups 
co-operative areas such as developing authentication solutions and 
ing to attacks on e-banking customers. Figure A. 8 tracks the number 
in incidents targeting UK banks from February 2005-Deceinber 



Figure A .8 Trojan Incidents targeting UK banks 







































t 






















nnnnn 

























iky Lab 

Dersky Lab is an international information security .software vendor, 
ky Lab is headquartered in Moscow. Kaspersky labs reported an 
itial increase in previously unknown malicious programmes from 
06, as illustrated in Figure A. 9. They also reported a steady increase 
imber of Trojan spy programmes designed to steal information from 
aline accounts (Kaspersky Labs, 2006). 

sure A.9 Increase in the number of new malicious programmes 




?001 2002 2003 2004 2005 2006 



ANNEX A. BACKGROUND DATA ON MALWARE - 203 



rosoft gathers dala from several anti-malware products and services 
d on information systems running Microsoft products. Based on 
observed from January lo June 200ft, Microsoft reported the 
e of more than 43 000 new ma] ware variants between January and 
2006 (Microsoft, 2006a). This can at least partially be attributed to 
it availability of mahvare for purchase on the Internet; it is easier 
kers to modify a piece of existing malicious code rather Irian create 
'amily" of malicious code. 

rosofl also reported that among new mahvare variants backdoor 
accoiuilcd for the highesi number (see Figure A. 10). The figures 
rale that the lour most common categories where new variants have 
atcd were of the non-self-propagating varieties, which are typically 
;d with smaller stale cyber attacks aimed at illicit financial gain, 
uly financial fraud. 



.Ill Microsoft Mulk-imiN Software Activity from January - June 2006 























































□ n n n 



Malware Category 



'HOS gathers data from 35 million users in 150 countries that 



SACKOROUND DATA ON MALWARE 



;ure A. 11 Trojans verses Windows Worms and Viruses in 2006 




Source: Supra Sophos (2007a). 



'ec 

lantcc gathers information from 40 000 rcgislcivcl sensors in 180 
s. 120 million desktop computers, and gateway and server antivirus 
ions, and 2 million decoy accounts in the Symantec Prohe Network. 

operations are conducted from four security operations centres 
it research centres. Symantec software products are deployed on 
in 370 million computers or e-mail accounts worldwide. 

■iiA\y, Symantec reported a decrease in the amount of worms 5 and 
>rs and an increase in the amount of viruses and Trojans. 

ddition to this data, the Symantec Corporation reported an increase 
.uisly unseen mahvare. or new families. Between July and December 
ymantec honeypots discovered 136 previously unseen malware 
, an increase of 98 from the previous 6 months (Symantec. 2007). It 
rtant to note that while information gathered from honeypots and 
ts is useful, it is not necessarily representative of a global trend. 



Figure A. 12 Malicious code types by volume 




s on the data 

data on malware presented above comes from a variety of very 
I and in com parable sources (national CSIRTs. software vendors, and 

vendors). The definitions, types of incidents, type of damage, time 
nd scope are not harmonised across these various ore an i sal ions and 
; it is necessary to be prudent in comparing such disparate data. 

t'ever, it is more or less possible to highlight certain tendencies that 
be shared: 0 an significant and noticeable rise in security incidents 
to malware ; and, ii) Trojan malware becoming more and more 
it when looking across types of malware. As has often been 
, there are fewer serious outbreaks of worms and viruses and thus a 
rt of the increase in malware variants can generally be attributed to 
pagating varieties which usually have a more harmful 
'functionality and tend to be financially motivated, 
agreement by certain stakeholders interested in measuring malware 



SACKOROUND DATA ON MALWARE 



n some of Ihc data, il is possible lo summarise and highlight several 
n demonstrate that the problem of malware is becoming more and 
;nificant. 



Box A.l Summary of sample data on malware 

e A.l Total number of" incidents reported - + 225%. 
re A.2 Total artefacts in the last year ~ +250%. 

rc A.6 Decline of Worms related incidents - -25%/; Increase of Trojan 
incidents - + 30%. 

re A.l I Malicious rirogrLimmes increase by KiKl'/i in the last 5 years. 



le it is true that many attack trends are increasing, it is unclear how 
:nds relate to the overall damage caused of malware. Detecting a 
lumber of Trojan variants does not necessarily mean that there is 
image. It could also be a response to improved security defenses, 
v. signalling that large-scale botnets Lire shrinking in size does not 
ily mean that the counter measures are effective. It might be that 
* have found smaller and more focused botnets to be more 
le. In short: because malicious attack trends are highly dynamic, it is 
to draw reliable conclusions from the (rends Ihemselves. 



ANNEX A. BACKGROUND DATA ON MALWARE - 207 



Notes 



tuckers often generate a new malware variant from an existing piece of 
.thvare by simply changing the manner in which the code is 
impressed and packed', rather than changing the malware code itself, 
ir example, see; 

tp ://us. trendmicr().cout/us/llurut*/iiMcrpn'i/v)<>s*ar\ic/compression/m 
X.php. New variants produced in this manner are nol each given a new 
VIE number. Multiple variants, which arc considered to be identical in 
QCtionality and form will have the same CME number, whereas even 
lull variations in malware byte code will produce a new CME number. 
:e: http://cme.mitre.org/cme/process.hlml 

lis approach is important as counting each infection from a single large 
>nn or virus outbreak can skew the results and does not reflect the 
lual level of development of new variants by many attackers 
ccifically in order to evade detection by anti-virus products. 

i artefact is a file or collection of files which may be used by 
versarics in the course of attacks involving networked computer 
stems, the Internet, and related technologies. 

computer terminology, a honeypot is a trap set to detect, deflect or in 
me manner counteract attempts at unauthorised use of information 
stems. Generally it consists of a computer, data or a network site that 

-ouree that would be of value to attackers. Two or more honcypolN on a 

lis drop can largely be attributed to the decline in reports of major 
Drms such as Sober.X, Blackmal.E, and Netsky.P75 since the first half 
2006. 



ANNEX B. RESEARCH DESIGN FOR ECONOMICS OF MALWARE - 209 



x B. Research Design for Economics of Malware 



evaluation started with an exploration of the incentives at work in 
victual organisation and those related to the decisions of other 
ng or complementary organisations. The reliability of the 
lion is increased if inlerilepcndenl stakeholders presenl coni]ial ihle 
of the relevant incentives and Iheir effects. \Hcnipls were made to 
n several organisations in each segment of the value chain to 
narratives that are as coherenl as possible. In a subsequent 
at step, these individual narratives were then integrated to assess the 
ncentive structure of the sector and the resulting externalities. 

tUecUon 

lie course of 2007, we conducted 41 in-depth interviews with 57 
;>nals from organisations parliii paling in networked compiiier 
nc nls lhal are eonlronled with malware. Firms from the following 
ents of the value net were approached: 

Internet Service Providers 

E-commerce companies, including online financial services 
Software vendors 
Hardware vendors 
Registrars 

Security service providers 
Different types of end users 

Governance institutions (regulators, consumer protection agencies. 
CERTs) 



t[;si;,\uni m;si(i\ :i« economics or malwak:: 



interviews were carried out using a semi-slruelured questionnaire. 

for the specific situation ol" Ike interviewee. In each instance, we 
low the organisation was confronted with malware, what its 
;s were, what trade -oils were associated with these responses, and 

urbanisation was affected by the actions ol' other market players. As 
ion practice in t It l- social sciences, we have treated all interview data 
Jenlial. so as to enable the interviewees to share information with us 
y as possible. Consequently, no interviewee or organisation is 
d by name in relation to specific data and all quotes have been 
d by the respective individuals/oi ganisnlioiis beforehand for 
ion. All statements in the report are based on interview transcripts 
t documents supporting the findings. Although this limits the direct 
lity from readily available public sources, we felt that given the 
ory stage of research in this area, our approach would enable us to 
:r insights into market-sensitive economic data and decision making. 

md limitations 

nv turning to the empirical findings, it is important to note the scope 
itations of this study. The global and heterogeneous nature of the 
m of Internet services implies that any study of incentives is almost 
^sitv an exploratory study. The limited time and budget available lor 
Iv allowed for a limited number of interviews in six countries. The 
■ of the interviews took place in the United States and the 
mds. with additional interviews in the United Kingdom, France, 
y and Australia. The next section presents our findings for five of 
;et players we interviewed: 

We intended to also describe the incentives for hardware vendors 
Internet Service Providers 

E-commeree companies, including online financial services 
Software vendors 
Registrars 
End users 

it we were unable to secure sufficient interviews with hardware 
to provide the basis for such a description. The examination of the 



ANNEX B. RESEARCH DESIGN FOR ECONOMICS OF MALWARE - 211 



le these interviews have proven to be highly informative, the 
drawn from them should he read with caution. First of all, it is 
lie to assume that the set of interviewees is influenced by some 
;>f" self-selection. ISPs, for example, arc more likely to respond 

["hat said, some of the organisations we interviewed are publicly 
For a less than stellar track record with regard to security - which 
en explicitly acknowledged during the conversations. Second, the 
il findings report on how stakeholders themselves describe what 
doing and whv. In oilier words, we report on the perceptions of the 
vees, not some independent assessment of their actions and the 
driving them. Whenever possible, we did cross-check information 
I to us against the information from other interviews and against 

available data, such as security reports, surveys and research 
ions. Third, the interviews touch on many issues that concern 
ary or otherwise confidential data. Interviewees were not always 
share this data with us and if they were, we were constrained in 
g them. Fourth, and last, our interviews involved six different legal 
ions. Some incentive mechanisms are generic but others are eontext- 

Our approach hence provided us with a sense of the degree to 
erlain findings were country-specific and therefore could not fully 
ie heterogeneity of all OECD members. 

-e circumstances make it more difficult to generalise our findings, 
r, very little empirical field work has been done in this area so far. 
of the rapidlv increasing political attention given to the issue of 
: and the policy initiatives currently under debate, this is a critical 
i. Our study contributes to overcoming this omission. At the very 
makes clear the urgency of developing a fiirther-impnn ed in-depth 
Hiding of the economics of malware to increase the probability of 
iterventions to succeed. 



ANNEX C. A FRAMEWORK FOR STUDYING THE ECONOMICS OF MALWARE - 213 



;x C. A Framework for Studying the Economics 
of Malware 



information and communication technology (i(_T) industries form a 
. ecosystem, and their services permeate most other economic 
s. Security problems and the related economic costs to society may 
'o roots: i) they are the outcome of relentless attacks on the 
:ion and com muni cation in lias true lure by individuals and 
itions pursuing illegal and criminal goals; and it) given an external 
vel. they may be aggravated hy discrepancies between private and 
costs and benefits, which are the outcome of decentralised decision 
in a highly interrelated ecosystem. Both actors in Ihc illegal and 
realms, as well as legitimate participants within the inlorination and 
tications system, respond to the economic incentives they face. 

his complex value net (see Figure C. 1). economic decisions with 
;i information security depend on the particular incentives perceived 
player. These incentives are rooted in economic, legal, and informal 
sins, including the sped lie economic conditions of the market, the 
endence with other players, laws and regulations, as well as tacit 

iin each participant's o\\ n purview and constraints each participant 
s rationally to a variety of incentives, even though the available 
:ion may be incomplete. However, for the economic efficiency of 
ile value system, it is critical that the incentives of the individual 
ints be aligned with the overall conditions required for societal 
:y. In other words, the relevant incentives should assure that the 
:osts and benefits of security decisions match the societal costs and 
. In the case of differences between private and societal optimal 
:s, the prevailing incentive mechanisms should ideally induce 
jnls toward ln'jhcr social efficiency. 



\ HiAMBYORK 11)1! •V. ill VINO Tl II: liCONOMlf'S Ol- VIAI.WAItL 



Figure C. 1 Information industry value net 




different types of application and service providers 
different ISPs 

different types of users (small, large, residential, business) 

alignment between private and social efficiency conditions may take 
.onn.v In case of incomplete in ft irmalion. Lite perceived incentives of 
al players may deviate from the optimal incentives. A related issue 
roblem of externalities, systematic deviations between the private 
or costs and the societal benefits or costs of decisions. Due to the 
gree of interdependence, such deviations from optimal security 
s may cascade through the whole system as positive or negative 

the research on the economics of crime has illustrated, criminal 
s may be analysed in a market framework. The activities in the 
or cybercrime and eybersecLirity arc closely interrelated. Before the 
of incentives and externalities can be explored in more detail, wc 
jrefore, briefly explore the working of these markets and their 



ysis of cybercrime 



ANNEX C. A FRAMEWORK FOR STUDYING THE ECONOMICS OF MALWARE - 215 



criminal activity. Franklin el at. (2007] also employ an economic 
irk lo study an undergi ouni] economy based on "hacking for profit.'' 
so a slightly different representation than thoso studios, based on 
1 analysis. Il is reasonable lo assume that a higher level of security 
is is only possible at increasing cost. Furthermore, it is likely that 
tional cost will increase more than proportionally as the extent of 

violations increases. 

.he other hand, the marginal benefits of additional security violations 
creasing function of the level of violations. This is an expression of 

that the most lucrative crimes will be committed first, and that 
al criminal activity will only yield lower marginal benefits. 
Is will extend their activities until the marginal cost of additional 

violations approximates their marginal benefits. The magnitude of 
:fils and costs of crime is dependent on a number of variables, some 
i are affected by private and public measures to enhance security. A 
■xaiiiination of these factors allows comparative assessments of 

outcomes. It also sharpens understanding of the principal 
lities to intervene in the market to reduce cybercrime. 

tin ;|. "jical change, the increased specialisation and sophistication in 
luction of malware, and the globalisation of the information and 
licalion industries have all reduced the marginal cost of crime. 1 In 
s cosl decrease has dramaticalh expanded the supply of crime, as 
from countries and regions with low opportunity cost of labour 
increase the net benefits of crime) join criminal activities. Such 
marginal costs of security violations will shift the marginal cost of 
chedule downwards. Assuming that other things, especially the 
relationship, remain unchanged, reductions in the marginal cost of 

inological change and globalisation have also increased the benefits 
:. For example, the wider reliance on e-commerce and credit card 
ons lias increased the opportunities lo exploit technical and personal 
loopholes. The globalisation of the Internet has also enabled 
s to reach a larger number of potential victims. These changes shift 
ginal benefit curve upwards (not captured in Figure C.2). Other 
eing equal, this increase in the marginal benefits results in a higher 
security violations. The presence of both effects explains much of 
.uiseil level of aclivitv of securitv violations. In principle, however. 



\ HiAMBYORK 11)1! STMlVlNfl T]|[; liCONOMJfS (H-MALWAKL 



Figure C.2 Markets for crime and security 




ecurity violations 100% 0% Security 100% 



marginal benefits of crime 

iiiLiraiiui] costs of crime 
marginal benefits of security 
maiainal costs nf security 

wketfor cybersecurity 

market for security can be analysed using a similar approach. It is 
lie to assume that higher levels of security can only be achieved at 
nnrgma! costs. On the other hand, the marginal benefits of security 
rease. Unless the benefits exceed the cost throughout, the resulting, 
level of security will be below 100%, at least on an aggregate level." 

nges in the costs of providing security and the benefits of" having 
will shift the marginal cost and benefit schedules and affect the 
Hitcome. A reduction in the cost of security, for example, due to the 
lity of more efficient and cheaper filtering software or a new 
arc hi lecture that might reduce the propagation of malware. will 
linjis being equal ) resull in a higher level or security. Likewise, 
benefits of security, perhaps because of the utilisation of more 
-critical applications, will (other things being equal) result in a 
level of security. However, such initial changes may result in 
ent adjustments by other actors, who might reduce their expenditure 
ritv in response, leaving the overall effects on the resulting security 
ibigumis at best (see the arguments in Kunreuther and Heal, 2003). 



ANNEX C. A FRAMEWORK FOR STUDYING THE ECONOMICS OF MALWARE - 217 



Figure C. 3 Markets for crime and security 




ecurity violations 100% 0% Security 100% 

marginal benefits of crime 



marginal benefits of security 
marginal costs of security 

S<0 expresses the changes of ihc MBC curve in response lo a change in the 
security S. The negalivu sign implies that ihe marginal benefits of crime move 
iposite direction from marginal changes in security, i.e. increased security 
:he marginal benefits of crime, all other things heing equal. 



ion of cybercrime/cybersecurity 

markets for cybercrime and security are highly interrelated (Figure 
;tivilies in the market for cybercrime affect the market for security 
: versa. Most likely, an increased level of security violations will 

(he marginal benefits and the marginal costs of .security, shifting 
edules upwards. On Ihe contrary, a lower level of security violations 
> from the market tor crime will shift both schedules down. On the 
tnd. variations in security will have corresponding effects on the 

violations, and it will reduce the marginal benefits of crime.' The 
act on the overall level of security is difficult to predict and will 
on the relative strengths of variations in securitv violations on the 
d benefits of security. A higher level of security violations could 



\ HiA.MBVORK l-OK •V. ill VINO Tl It: liCONOMlOS Ol- VIAt.WAItL 



I of security. Bui Tor all actors il will likely result in higher costs lor 
ling a certain level of security. On the other hand, a higher level of 

will induce changes in the market for crime in that it will increase 
iinal eosl of security violations and. at the same lime, reduce Ihe 
1 benefits of crime. Both effects will mutually reinforce each other, 
ilrilniling to a lower level of security violations. Since parameters in 

Ihe markets change continuously, the outcomes of the resulting 
: mutual adjustment are difficult, if not impossible, io model, 
1 the directions of change seem to be robust. 

larket analysis 

tiarket analysis framework can give high-level insights into the 
s available to influence overall outcomes. Such measures can target 
iet for cybercrime and/or the market for security. Measures such as 

siting national and international law enforcement, and increasing the 
y of registering and maintaining fraudulent domains and websites. 
:ct the market for crime directly and also have repercussions on the 
or security. Most likely, such measures will reduce Ihe overall level 
ity-related costs. For reasons discussed above, it is less certain that 
;asurcs will increase the level of security, since accepting a certain 
insecurity is economically rational. 

istires affecting overall incentive compatibility in Ihe security 
range from forms of industry self-regulation (o forms of co- 
in and government intervention. They encompass a wide spectrum 
arcs, such as: requiring thai security features are enabled by default; 
endalions lo ISPs to adopt besl practices with regard to security on 
Iworks; information campaigns to alert users to security risks; and 
in the ways domain names are registered. None of these measures is 
ea, but they help better align individual incentives with societal 
:y requirements. 

icentives: what they are, how they work 

nomic incentives are the factors that influence decisions by 
als, as well ;ts organisations. \ close examination of Hie incentives 



ANNEX C. A FRAMEWORK FOR STUDYING THE ECONOMICS OF MALWARE - 219 



es in case an intrusion has happened or an attack is unfolding. The 
set of incentives is most likely different for each stakeholder. 
,ve attempted to get a detailed account of the incentives as perceived 
cipanls in the information industry. Moreover, the incentives may 
nent each other, they may form a trade-off, or they may even work 
-purposes. An important goal of our analysis was, therefore, to 
■ the aggregate interaction of the individual incentives faced by 
ders at the sector level. Since systems of incentives have many 
< loops, it is typically very difficult to determine the net effect of a 
at incentives. At this initial stage of the field research project, we 
ualitative approach. 

as not-for-profit forms of production and collaboration. Incentives 
i classified in monetary (remunerative, financial) and non-monetary 
ancial, moral) terms. Financial incentives include factors such as 
c salary of an employee to corporate performance, the ability to 
super-normal profit by pursuing a risky innovation, or the bottom 
ects of potential damage to a firm's reputation. Non-financial 
es encompass norms and values, typically shared with peers, and 
a common understanding as to the right course of action or the set 
hie actions that should be avoided in a particular situation. Financial 
es typically connect degrees of achievement of an objective to 
y payments. Non-financial incentives work through self-esteem (or 
d community recognition (or condemnation). 

tactical decision making, incentives can be seen as the motives for 
> a specific action or the rationales for preferring one course of 
ver another. As the discussion of reputation effects illustrates, it is 
les necessary 10 distinguish between short-term and long-term 
Characteristic features describing incentives are their power (low- 
I to high-powered) and directionality (positive or negative relation to 
f decision). 4 An important question is the relation between the 
; and power of the relevant incentives and the objectives of 

full set of incentives at work typically consists of a bundle of 
, more narrowly defined, incentive mechanisms. These incentive 
sins may work in the same direction or conllicl with each other. If 



\ HiAMBVORK 11)1! ST!:|lVlN<;T]|[;i;r<)NOM!fS(H- VIAI.WAItL 



:ion security but potential first-mover advantages in the information 
;s may, ceteris paribus, lower die incentives to invest in information 

ntive -compatibility refers to a situation in which an incentive is 
:d in a way as lo contribute to the slated goals of an individual or an 
ition. To assess incentive compatibility, the direct and indirect links 
an incentive mechanism and Hie objective being pursued will have 
;amined. Incentive compatibility may exist at the level of a single 
e mechanism, the bundle of incentives at work for a specific 
der, or the entire sector under consideration. Given the potential for 
fs and even direct conflicts between incentives, incentive 
bility is much more difficult to ascertain a( the level of stakeholders 
industry at large. It is a particular challenge in an industry as highly 
alcd as advanced information and communication industries are. To 
ted by an incentive mechanism, individuals need lo be cognizant of 
;nce, its directionality, and its power. Incentives thai exist on paper 
gnored hv the decision makers must either be seen as zero-powered 
-elevant incentives. Therefore, it is possible to reveal the existing 
e structures of the stakeholders in the information value net by 
xperts and decision makers for an in-depth account. 



finalities are forms of interdependence between agents that are not 
1 in market transactions (payments, compensation). Which 
ena are identified as externalities depends to a certain degree on the 

id i. I I .1 , In ..|. |, ■ |,- i. mi li Hi-*.<r n . -hi. 

igalions are only vaguely defined they may need clarification by 
ires, courts and in private contractual agreement. 5 If such 
lion is afflicted with transaction costs, rational individual actors 
by the externalities will not internalise them if these costs exceed 
ntial benefits of mternalisation. In this case, only a collective actor 
business association, government) may be able to address these 
ensated externalities. 

the formulation of the mainstream economic model, these 
endeneies lead to deviations from a socially optimal allocation of 
■s. Negative externalities result in an overuse or overproduction 



ANNEX C. A FRAMEWORK FOR STUDYING THE ECONOMICS OF MALWARE - 221 



r to consumer, consumer lo producer and consumer lo consumer 
ities (Just etat., 2004). 

alternative typology distinguishes between technological and 
y externalities (Nowotny, 1987, p. 33). Technological externalities 
lo exist if, at constant product and factor prices. Ihe activities of one 
redly affect the activities of another. 1'ecuniarv externalities exist, if 
/ities of one agent affeel the prices that need to be paid (or may be 
) of other agents. Early contributions lo the subject, for example, by 
1 ( 1 920) or Pigou ( 1 932). treated externalities as an exception, a rare 
' in a market system. However, the increasing concern with 
nenlal issues since the 19(i0s made clear thai such interdependencies 
asive and part and parcel of real world market systems. 

: is particularly true for information and communication networks, 
raise several new and unique issues. The high degree of 
nectedness amplifies the interdependencies between participants in 
vork. Both negative and positive effects that are not reflected in 
transactions may percolate widely and swiftly through electronic 
lication networks. In some types of networks, such as peer-to-peer 
no [Us. agents lake on dual roles as consumers as well as producers 
mation and other services. Many users of cyberspace view it as a 
is, in which transactions take place according to a gift rather than 
lace logic. Moreover, often, for example, in the case of Trojans, 
ities are generated without the explicit consent or knowledge of an 
al user. All these factors influence the prevalence of externalities 
iplieate possible ways to address them. 

ttt nullifies in networked computer environments 

ed computer environments. Depending on the origin of the 
ity, the individual decision-making calculus causing the externality 
different. In any case decision makers focus on costs and bone fits 
to the individual agent and neglect costs or benefits of third parties. 1 
le 1 provides an overview of the sources and forms of externalities 
.orked computer environment. The table captures the main 
ders, but nol necessarily all of Ihom. Agents in the column are Ihe 



\ HiAMBYORK I -OK ST! ill V1N<; Tl If; liCONOMlf'S Or VIALWAK L 



imc cali; gory. For example, the lax security policy of one ISP may 
dernalities for other ISPs. 

irst source of possible externalities is software vendors. When 
; the level of investment in activities that reduce vulnerabilities, 
: vendors will only take their private costs and benefits into account 
.t. 2000). Sales of software are dependent on the reputation of the 
lliis reputation effect is strong, the firm will also be concerned about 
.rily situation of the software users. However, it is likely that such 
in effects are insufficient to fully internalise external ilies. This 
i is aggravated by the unique economics of information markets with 
ih fixed costs and low incremental eosis. the existence of network 
vhich create first-mover advantages, and the prevalence of various 
if switching costs and lock-in. These characteristics provide an 
e for suppliers to rush new software to the market (Anderson. 200 1 : 
loslaek, 20051. They may also lead to the dominance of one or a few 
ncreasing overall vulnerability due to a "monoculture" effect 
, 2005). 



Table C.I. CERT .BR incident Reports 



Software 


ISPs 


Large tlrms 


SMEs 


Individual 


Criminals 




Risk of 


Level of 


Level ol 


Level of 


Hacking 




malevolent 


software 


software 


software 


opportunities 


reputation 




vulnerability 


vulnerability 


vulnerability 




Level of 


Volume of 


Risk of 


Risk of 


Risk of 


Hacking 




malevolent 


proliferating 


proliferating 


:; ;liVa:ir;| 


c-pcorrunitles 


reputation 












Level of 


Volume of 


Risk of 


Risk of 


Risk of 


Hacking 




malevolent 






hosting or 


opportunities 


reputation 




proliferating 


proliferating 


proliferating 








attack 


attack 


attack 




Level of 


Volume of 


Risk of 


Risk of 


Risk of 


Hacking 


trust, 


malevolent 


hosting or 


hosting or 


hosting or 


opportunities 


reputation 


traffic 


p'dreralrg 


p 'dreratirg 


proliferating 
















Level of 


Volume of 


Risk of 


Risk of 


Risk of 




trust, 


malevolent 


hosting 


hosting 






reputation 












Level of 


Resource 


Resource 


Resource 


Resource 


Hacking 
opportunities 



ANNEX C. A FRAMEWORK FOR STUDYING THE ECONOMICS OF MALWARE - 223 



, 2003; Camp and Wolfram, 2004; Sehechter, 2004; Chen el at., 
owe and f iallahcr. 20()(>). Profit-maximising firms, all other things 
qual, will attempt to invest in information security until the 
ited) incremental private benefits of enhanced security arc equal to 
;ounted) costs of that inveslment. A firm will therefore not invest 
i security risk is fully eliminated but only as long as the expected 

iat the firm imposes on third parties will not be considered in this 
(unless they indirectly affect a firm's decision making, for example, 
of reputation effects). 

:wise, benefits that a security investment bestows on third parties 
a not be reflected in this decision. Under conditions of imperfect 
.ion and hounded rationality, linns may not be able to determine this 
>pliii)Liii! with precision but they will try to approximate it. In any 
ither the negative external effects of investments falling short of the 
stimuli) nor the positive externalities of investments that go beyond 
imum are taken into consideration. Individual firm decisions may 
sleiiiatically deviate from a social optimum that takes these 
endencies into account. 

vidua! users are seen by many as one of the weakest links in the 
lain of networked computing (Camp. 200fi). Larger business users 
insider their decisions in an explicit cost-benefit framework. In 
, small business and individual users often do not apply such 
;ntal rationality (LaRose el al, 2005; Rifon et al,. 2005). 
eless, when making decisions as to security levels, they consider 
n costs and benefits (but not those of other users). Individual users 
eularl) susceptible to non-inlrush e forms of trial ware, which do not 
significant resources on the user end (e.g. computing power, 
Ith) hut create significant damage to other machines. Consequently, 
of attack for all other users and the traffic volume on networks is 
d causing direct and indirect costs for third parties. 

; may inflict externalities on other agents in the value chain as well 
ich other. Some malware may increase traffic and hence ISP costs 
rcmenlally. In this case, the ISP may have little incentive to incur 
al costs to engage in traffic monitoring and filtering. Even if users 
gnifieant traffic increases, an ISP with a lot of spare capacity may 
anviiiiny but very incremental cost increases, asiain limifiiiL! the 



\ HiAMBYORK R>K STMlVlNf; Till-; lif'UNOMlfS (H-MALWAKL 



fownlimes) and the cost ol" increased preventative security expenses 
" stakeholders (including cost ol" software and seeurily personnel!, 
costs include reduced trust within computer networks ( tor example, 
maintain lists of trusted other syslems) and of users in information 
s, the ability of hackers to increase the effectiveness of attacks by 

and Wolfram 2004). They also include ihe potentially high cosls 
id with the reduced willingness of consumers to engage in e- 
ce. 



i in a dynamic framework 

et worked computer environments with rapid technological change, 
ities need to be understood in a dynamic framework. Most 
illy, learning and reputation effects need to be considered, 
on and learning may happen at different time scales and with 
I intensity in the various components of the value net. They will also 
ilhin markets, for example enterprise market software as opposed to 
arkel software. In any case, they may counteract and. reduce the 
de of negative externalities and possibly enhance positive 
ities. Moreover, the activities of firms to disclose vulnerabilities will 
e the magnitude of externalities. 

ire C.4 illustrates the reputation effect for the case of a software 
plus and minus signs indicate whether Ihe two variables move in (he 
the oppoMic direction). Other things being equal lower expenses for 
esting and refinement by firm i (Si) will reduce sunk costs and hence 
the profits (ir,) of the firm. However, costs may be externalised onto 
ms, indexed j ((.".',). If these cosls affect Ihe reputation of firm i (R,), 
nay be reduced, especially if the reputation effect works swiftly. In 
2, at least part of the potential externality is internalised and the 
n between private and social optimum is reduced. One form of 
ening the reputation mechanism is trusted -party certification. As 
i (2006) and Anderson (2001 ) point out. given present liability rules, 
ms face an adverse selection incentive in that they do not face any 
dices for issuing wrong certificates. 



ANNEX C. A FRAMEWORK FOR STUDYING THE ECONOMICS OF MALWARE - 225 



Figure C.4 Externalities with reputation 



Si 


















TTi 




Ri 


+ 



Cj; tost for firm j ejusii by suh-oplinkil security iuvuslirient hy firm i 



dynamic perspective, the incentives to disclose vulnerabilities need 
onsidercd (X.'avusoglu el a!.. 2005). Disclosure exerts a positive 
ity (Gai-Or and (ihose, 2003; C-al-Or and Ghose, 2005} onto other 
ders. Under certain conditions, disclosure incentives may be 
illy strong lo shrink Ihe conditions under which deviations between 
ite and social optimum occur to a minimum (Choi et at., 2005). 



\ HiAMBYORK l-'OK •V. :|1V1N<; T] IL If'ONQMK'S Or MAI.WAItL 



Notes 



.iicmeiits as to the effect of changes in indi\ iilu.il parameters or factors 
typically made under Ihe ceteris paribus assumption: that all other 
ings remain equal. This is a widely used simplifying methodological 
dI In isolate changes in one or more variables in a highly complex 
:erconnected system. Often, many factors will change simultaneously, 
lull grip on such changes will typically require >omc form of eompuier- 
scd modelling or simulation. 

is possible that for some services and applications. 100% security levels 
s required (hence the benefits higher than the cost, even at a level of 
■0% security) and that the requisite cost will be incurred. It is unlikely, 
lugh, that this will hold for all services and applications, 
ore formally, the partial derivatives can be expressed lis: 6MB(7ViS<ii. 
*CC/8S>0, 8MBS/8SV>0, 5MCS/oSV>0. 

ecbanisms operating towards improving an objective are typically 
ferred to as "incentives" whereas those operating in the opposite 
rection are referred to as "disincentives." 

its seems currently the case in many countries. See for example: 
dndler, G. (2007), Veraniwortlichkeiten von IT-Herstellern, Nutzern 
■d Intermedium:: Sttidie ini Auftrag dex ESI ihinii^ejiihri von Prof. Dr. 
vnl/.l Spindk'i; Univer.sitdt Gdttingeu, Bundcsanit fur Sichcrheit in der 
formationstechnik, www. hxi.de/hie riii/xiiidifii/ivchi/Gutachten.pdf, 
a dynamic context, reputation effects may mitigate some of the 
[dualities, see the discussion below. 



GLOSSARY-227 



Glossary of Malware Terms 



it'iith-cttum fiictorsi Used In obtain access; something the user knows 
i a password); something the user has (such as a credit card or 
:>r something the user is (a photograph or thumbprintl. 

wiitjctttioii/Autliriiticity: Being able to prove or verify a person's or 
identity with a certain level of assurance. Authentication 
sms are used to provide access control to information systems. 

•lahUilx: UnsiiriiiL' thai digilal data within an iiifonnalion system aad 

kdoors : A backdoor is malicious code that allows unauthorised 

0 a computer system or network by accepting remote commands 
attacker elsewhere on the Internet. 

■jacking: Sending unsolicited messages to Bluetooth connected 

>s!unfw<i enables unauthorised access to information from a wireless 
irough a Bluetooth connection. 

programme: A type of 'backdoor" programme that allows attackers 
Jtely control many compromised information systems (often 
is) simultaneously (or individually). 

iet(s): Group of malware infected computers that can be used to 

1 carry out attacks against other computer systems. 

fidentiality: Being able to protect information and data from 

IT.s: Computer emergency response teams. 
<tTs: Computer security incident response teams. 



: lul certificate: A means of authenticating an identity for an entity 
..ling business or other transactions on the web or on line. Digital 
tes exist as part of public key infrastructures (PK1). 

tain name: The identifier or address of any entity on the Internet. 

Name System (DNS): The way Internet domain names are located 
islated into an Internet Protocol, or IP. address. For example, the 

name www.oecd.org is a more user friendly and memorable 
ve to the IP address 193.51.65.71. 

eynel: Two or more honeypots on a network form a honeynet. 

eypot is a trap set to detect, deflect or in some manner counteract 
, at unauthorised use of information systems. Generally it consists of 
iter, data or a network site that appears to be part of a network but 
; actually isolated, (un)protected and monitored, and which seems to 
information or a resource that would be of value to attackers. 

%rity: A primary security goal of information systems which seeks to 
hat the system as a whole (people, data, software) have not been 
nised and can continue to be trusted. Internet Protocol The native 
of programmatic communication on the Internet. 

stroke loggers' : A hidden programme that records and "logs" each 
"s pressed on the compromised system's keyboard, as the legitimate 
he system is typing. 

ware payload: The primary function of a piece of malware. 
-repiididtioii: A security goal which seeks to prevent a person from 
they undertook an electronic transaction when they did. 

ruling system: A computer program that manages the hardware and 
: on a computer. 

ket: The minimum aulonomously-roulable quantum of data which 
ransmitted across a modern digital "packet switched" network. 

■Ii/Wnrkaroujicl: A small piece of software code designed to correct 
iy an existing bug or flaw in an operating system or application 
tme. A work-around is a set of actions that network security 
's can take to reduce their exposure to a known software 



GLOSSARY-229 



toad: The essential data Unit is being carried wilhin a packet or other 
;sion unit. The payload does not include the ■'overhead" data 
to get the packet to its destination. 

tkit: A set of programmes designed to conceal the compromise of a 
:r at the most privileged "root" level, by modifying operating system 
nserting code into the memory of running processes. 

til engineering: Techniques designed to fool human beings into 
ig information or Inking ;in action thai leads to a subsequent breach 

11: Commonly understood to mean bulk, unsolicited, unwanted and 
lly harmful electronic messages. 

yj'ing is a technique designed to deceive an uninformed person about 
n of, typically, an e-mail or a website. 

wire: A form of malware that is capable of capturing a range of data 
er input (keyboards, mice) and output (screens) and other storage 
y, hard drive etc.) and sending this information to the attacker 
the user's permission or knowledge. 

\saction signing: The process of calculating a keyed hash function to 
: a unique string that can be used to verify both the authenticity and 
of an online transaction. 

'an horses: A computer program that appears legitimate but actually 
len functionality used to circumvent security measures and carry out 

\s: Directly analogous to its biological namesake, a virus is hidden 
it spreads by infecting another program and inserting a copy of itself 
program. 

lerabilitv: A Haw or weakness in a system's design, implementation, 
tion and management of software that could be exploited. 

m: A type of malware that sell replicates without the need for a host 
imc or human interaction. 



BIBLIOGRAPHY -231 



Bibliography 



06), Zur Haftung von Phishiug-Opfci 11. Arbeitsgmppe Identitatsscimtz 
ternel e. V, www.a-i3.org/conlenl/view/97S/230/. 

n, R. (2001), "Why Information Security is Hard: An Economic 
lective", Proceedings of the 17th Annual Computer Security 
ications Conference, New Orleans, Louisiana, IEEE Computer Society. 
.iwuic.org/200l/papers/ '1 10.pdf. 

n, R. (2002), "Unsettling Parallels between Security and the 
ronment", FirM Annual Workshop on Lcouomics and Information 
rity, www.cl.cam.ac.uk/~rjaI4/econws/37.lxt. 

n, R. (2007), "Closing the Phishing Hole - Fraud, Risk and Nonbanks", 
.ci.cam.ac.uk/-rju l4/Papi.'rs/iumhanks.pdf. 

n, R. and T. Moore (2006), "The Economics of Information Security", 

n, R. and T. Moore (2007), "Information Security Hconomics - and 
rid". Computer Laboratory. University of Cambridge, 
.cl.cam.ac.uk/~rjai4/Papers/econ_crypto.pdf. 

n, R„ et al. (2008), "Security Economics and the Internal Market", 

pean Network and Information Security Agency. 

. enisa.europa.eu/doc/pdf/report_sec_econ_&_int_mark_20080I31 .pdf. 

(2008), "Fraud abroad pushes up losses on UK cards following two- 
fall", press release, www.aptics.ai-n.uk/2un7l- nuulllviiivsreleaxe.htint. 

Anti-Phishing Working Group 1 (2006a). Phishing Activity Trends 
rt, www.antiplusliiv.H.oi-ij/rt'pnrts/upwg report _april 2O07.pdf, last 
;sed 14 December 2007. 



T. and T. I. Tunes (2006), "Network Software Security and User 
Hives, Management Science, 52(1 I): 1703-1720. 
T (2005|, "Windows Rootkit, Prevention, Detection and Response", 
.auscerI.org.au/, last accessed 1 I December 2007. 

T (2006), "Haxdoor - An anatomy of an online ID theft Trojan", 
.auscert.org.au/reniler. htmi.'cid- 1920, last accessed 10 December, 

if the Privacy Commissioner (2004), 
s Privacy 2004, 

tions/rcommunil\/ehuplO.!itinl. last accessed 1 1 

an, E. (2006), "Court likely to order ICANN to suspend Spamhaus' domain", 
'echnica, http://arstechnica.com/news.ars/pasl/2006/009-7938.lilnil. 

(2006). "Phishing: Kunden haften fur Trojaner", Banklip.de, 
.banktip.de/New<i/2'-iK4K/l'hishiii\i Kunden liaflen-fuc r-Trojaner.html. 

S. and M. Gegick (2005), Economy of Mechanism, Build Security In, 
: //build sec urityin,us- 

loy/tliUs\/h\i/iirlicles/kninyh'tliit'/priiH iplcs/34HJ<ln<l'-'hr<Mch = I &hmvu 
7. 

M., et at. (2008), "Financial Aspects of Network Security: Mai ware 
ipam". International Telecommunication Union, July, www.itu.int/ITU- 
b/c\benecuriU'/d(H-s/ini-snul\'fHunicicii-iispc<-ts-<)f-mtilware-and- 
■pdf. 

ws (2004), "MyDoom virus biggest in months", BBC News website, 
'/news.bbc.co.uk/l/hi/technolo^\/343263'-).stm, last accessed 14 
mber 2007, 

ws (2007a), "Google searches web's dark side", BBC News website, 
'/news.bbc.co. uk/2/hi/technology/6645895, stm , 

ws (2007b), "Burgers paid for by mobile phone", BBC News website, 
'/news.hbe. co.uk/2ilii/iei lnu>U>:.!x/(i4!')02 17.slni, last accessed 

G. S. ( 196S), "Crime and Punishment: An Economic Approach". 
Journal of Political Economy, 76(2): 1 69-2 1 7. 

, (1999), "Economics and Crime in the States," Economic Review - 




mlvr :!)ii7. 



BIBLIOGRAPHY -233 



and A. Carter (2005), "The iruih about credit-card fraud", 
less Week Online, 

,business\veek.com/tccliiioloyy/c(in!eiii/jun20i).>/!c2t)05062l_3238_tc02 

n, D, J, (2007), "Some thoughts on security after ten years of qmail 
1st Computer Securiiy Architecture Workshop in conjunction with 
ACM Conference on Computers and Communication Security, Fairfax, 
nia, http://cr.yp.io/qnmil/qmaUsec-20071iOLpdf. 

R. (2005), "Cyber-Insurance Revisited", Fourth Workshop on the 
omics of Information Security. Harvard University, 
'/infosecon.net/worksh op/pdf/ I5.pdf. 

, B. (2007), "Spyware/Maiware Impact on Consumers"; APEC-OECD 
rare Workshop. StopBndwarc Project, April, 

.oecd.org/daltuict i l/J. </5 . ~/J H <i , 1 2') 2 O. pdf. lust accessed 1 3 December 

. J. (2006), Mental Models of Privacy and Security, 
'/papers. ssrn.com/sol.-i/ptipcrs. c fin :'uhslracl_id=922735. 

, J. and C. Wolfram (2004), Pricing Security: Vulnerability as 
■notifies, http://ssrn.com/uhsirat 1=894966. 

II, K„ et at. (2003), 'The Economic Cost of Publicly Announced 
mation Security Blenches: Empirical Evidence from the Stock Market", 
tat of Computer Security 1 1(3): 431-448, 
'/brief.weburb.dk/archivc/OOIiOtri.tO/OI^OOJ-costs-security-on- 
vatue-9972866.pdf. 

lu, H„ B. Mishra and S, Raghunathan (2004), "The Effect of Internet 
rily Breach Announcements on Market Value: Capital Market 
lions for Breached Firms and Internet Security Developers", 
national Journal o f Electronic Commerce, 9( 1 ); 69, 
.gvsu.edu/business/ijec/v9n l/p06 9.html, 

lu, H„ H. Cavusoglu and S, Raghunathan (2005), Emerging issues in 
msible vulnerability disclosure. Fourth Workshop on the Economics of 

'/infosecon.netLorkshop/pdf/cavus'oglu.pdf. 

Jnited States Computer Emergency Response Team), 
ral Incident Reporting Guidelines, 



oordi nation C"ijnLur i 2007), The Use of Ma! ware Analysis in Support of 
Enforcement, 

.securitynewsportalioin/se<uritynen-s/nrii(le.plip'.'iiih.'=The_Use_of_M 
re_Analysis_iii_Sitpp<ir!_<if_Laiv_Eitloirenieiit, last accessed 1 1 
mber 2007. 

, S. (2005), "Combating Cybercrime; A Public -Private Strategy in the 
al Environment", Microsoft Corporation, 
^ wacc.org/programs/conffl5/UNCrimeCongressPaper.doc, last 
;sed 11 December 2007. 

-Y., O. Kataria and R. Krishnan (2005) "Software Diversity for 
mation Security". Fourth Workshop on the Economics of Information 
rity. Harvard University, hit [W/info sewn. iiel/w , ork-.hop/pdf/47,pdf, 

P., C. Fershtman and N. Gandal (2005), "Internet Security, 
erability Disclosure, and Software Provision", Fourth Workshop on the 
omics of Information Security, Harvard University, 
Vinfosecon. net/work shop/pdf/9.pdf. 

R. (2007), "Phishing and the gaining of 'clue'", Light Blue 
hpaper, www.lighth]iictoiiL'hpapcr.ora/2i!i!7/()8/l{-i/phisliitig-and-the- 

ng-of-clue/. 

:r Economics (2007). 2007 Malware Report; The Economic Impact of 
;e>. Spy-ware, Ad ware. Bolncts and other malicious code, 
.fonipii!en'ronomics.roni/page.ijni''iianu'=Mirf\vinvK20Reporl. 

iional Budget Office Cost Estimate (2007), "H.R, 1525 Internet 

/are (I-SPY) Prevention Act of 2007", as ordered reported by the House 

miltee on the Judiciary, 7 May, 

. cbo.gov/ftpdors/Ha.\\Aloffi076/h r 1 525.pdf. 

it Reports WebWatch (2005), "Leap of Faith: Using the Internet 
ite the Dangers", results of a National Survey of Internet Users for 
inner Reports vV'ehWaich. w ww. consume r we h wale I), or ji/dynam ic/web- 

irs Union (2007), "State of the 'Net' Survey '07", Consumer Reports, 
(9): 28-34. 

.'iilenbond (2006.1. "PC liewili^ing & veilig Internet: Leo etiquele under 
ititergebruikers". Consumentengids, 2006(1 1). 

of Europe (200 I). Convention on Cybercrime. Budapest. 23 November, 



BIBLIOGRAPHY -235 



>ane & MessasteLahs (2006). 2005 Attack Trends & Analysis, 
.tiittnlerpttiie.ft>r>i/JI/tilititk-ireiids-2t)()5 ini'ssiiyeldbs.pdf. 

mputer Security Institute) (2007), CSI Survey 2007: The 12th Annual 
outer Crime and Security Survey, 
.goes Leo m/fo rms/e s i_sun>ey.jhwt!. 

Computer Crime and Security Survey (2006), 

.gocsi.com/forms/fbi/csi Jbi_survey.jhtml;jsessionid=4SCJQ3Y0PCPT 
\ : DLPCKHSC.!U,\,\'2.IVN. 



Vaustra!ianit.news.com.m,/cirtii-les/0,7204,2l67509,S r l5E24169%5E%5 
%5E,00.html, last accessed 1 1 December 2007. 
, D. (2000). "Statement by Dorothy II. Denning". Georgetown 
ersity, http://ftp.fiis.org/irp/t-oiigress/200t) Jir/O0-O5-23denning.htm. 

.1, A. (2006), l.e « plusliing » en F min e, pen tie vinimes mais une 
we grandissante, Olnet, 

.0lnet.com/editiiria1fJ I IlSS/evN'rerimtiud.fUili'-pluxhing-en-france- 
le-victiiues-wais-iine-menare-grtindissante/, lust accessed 1 1 December 

, Rachna, etal. (2007), "The F.mpcror"s New Security Indicators, An 
.ation of website authentication and the effect of role playing on 
lity'', http://!tsithh:seiit riiy.org/emperor. 

(2007), "Dot Tk Free Domain Names - A New Approach To Make A 
le Top Level Country Domain Free Of Illicit Content", 
.dm. tk/e it /press _Jiill6-07.pdf. 

20(17 1, "Introduction of ninl ware Issues", presentation by CNCERT/CC 
: APEC-OECD Mai ware Workshop, 

.oecd.org/dataoecd/33/59/38653107.pdf, last accessed 10 December, 

I., E. Andrijicic and M. E. Johnson (2006), "Costs to the U.E. Economy 
formation Infrastructure Failure from Field Studies and Economic 
", Fifth Workshop on the Economics of Information Security 2006, 
'/'veislOOd.eeoiliilfosee.org/does/d.pdf. 



J>HY 



tomist (2007), "A cyber riot", 10 May, 

.economist.comAyorhl/en rope/displays torv.cfm'.' story _id=9l 63598, 
;sed 4 December, 2007. 

, L„ 12004), "Reconstruction Consumer Privacy Protection Online", 
national Review of Law - Computers & Technology. Vol. 18, No, 3, p. 

I. J. van and J. M. Bauer (2008). "Economics of Malwarc: Security 
iions. Incentives und Externalities", OECD Science, Technology and 
itrv Working Papers- 2008/1 , OECD Publishing. 

0. 1787/241440230621. 

1. (1996), "Crime, Punishment, and the Market lor Offenses", The 
ml of Economic Perspectives, 10(1): 43-67, 
'/links.jstor.org/sici?sici=0S95- 

%28I99624%29l0'7c3AI'7c3C43'7c3ACPATMF%JE2.0.CO%3B2-U. 

European Network and Information Security Agency) (2006), Provider 
nty Measures Part I: Security and Anti-Spam Measures of Electronic 
'intnication Service Providers - Survey, 

.enisa.europa.en./dth /p<li/dcliveriil>!cs/ctiisii_sc<itrity _sptnii.pdf. 

Young (2007), Global Information Security Survey 2006, 
. ey.nl/download/publicatie/2006_GISS_EYG_A U0022.pdf 

n Union (1995), "Directive 95/46/EC of the European Parliament and of 
'o unci I of 24 October 1995 on the protection of individuals with regard 
: processing of personal data and on the free movement of such data", 
ial Journal of the European Communities, L 281/31, 
'/ec.europa.eu/juslice home/fsj/priyacy/docs/95-46-ce/dir!995- 
artl_en.pdf, accessed 1 1 December 2007. 

n Union (2002), "Directive 2002/58/EC of the European Parliament and 
Council of 12 July 2002 Concerning The Processing Of Personal Data 
The Protection Of Privacy In The Electronic Communications Sector", 
ial Journal of the European Communities, L 201/37, htlp://eur- 
■<ropa.eu/LexUriServ/site/en/oj/2002/l_201/l_20 1 2002073 1 en003 7004 7. 
iccessed 1 1 December 2007, 

a Union (2005), "Council Framework Decision 2005/222/JHA of 24 
iary 2005 on attacks against information systems". Official Journal of 
uropean Communities, I. 69/67 http://eur- 

■iropa.eu/LexUriSen/sihVeit/oj/20(LVIJW/!_06920050JI6en00670071. 



BIBLIOGRAPHY -237 



I, Co/isunicr Reports: Pulling Consumers Hack in Control, Federal 
s Commission, 

.ftt\go\/lKp/worksiujps/\paiii\uii//iii//pn'\ci!tati<i)/\/Ct>i/sumers.pdf 

, ).. el al. (2007), "An Inquiry into the Nature and Causes of the Wealth 
iernet Miscreants'", CCS*07, wwwdcir.org/rc ru/j/tipcrs/miscreant- 
ih.ccs07.pdf. 

n, L. S. (2002). 77ic Microeconomics of Public Policy Analysis, 
eton University Press, Princeton. 

■ (2007), "IT Security Threat Summary for HI 2007", F-Security Data 
rity Wrapup 1/2007, www.f-secure.com/2007/IA 

E. and A, Chose (2003), "The Economic Consequences of Sharing 
rity Information". 2nd Annual Work-hop on Liconomics and 

.epppe. umd.edu/rli ^!iiih?/p(ipcrs/Fh/al_scssioi!7 _vtdor.gl/ose.pdf 

rity Information", Information Systems Research, 16(2): 186-208, 
.andrew.cmu.edu/uscr/agliosc/lufosec.pdf. 

;2005), "Gartner Survey Show-, Frequent Data Security Lapses and 
ased Cyber Attacks Damage Consumer Trust in Online Commerce", 
release, www.%11rtner.com/press_relea.ws/asset_I29754_] 1 .html. 

S. (2007), "T.J. Maxx Security Breach Costs Soar To 10 Times Earlier 
late", Information Week, 

Vwww.informationweek.coni/shiiicd/prin/ablcArlirle.jl/Iiiir/articlelD-2 

0259. 

inline (2006), The Get Safe Online Report, October, 
.getsnfeontine.org/iiicdia/CSO '_Cvbci_Rcport_2006.pdf. 

Inc. (2007), "The Ghost In The Browser Analysis of Web-based 

.usenix.Org/evenls/l/olbo/s07/lecli/! nil papers/prtivos/provos.pdf, 
;sed 12 December 2007. 

L. A. and M. P. Loeb (2002), "The Economics of Information Security 
itmcnt*', ACM Transactions on Information and System Security, Vol. 5, 

4, pp. 438-457, http://portal.acm.org/cittitioii.cfm? id-5&1274. 

nl (2006), Annual Review, www.govcert.nl/render.html?it=147, last 



-,| V 



T. (2007), "Kapersky scek.% help from international police to fight 
-crime", Network World, www.networkworld.com/news/2007/01 3 107- 
'.rsky-cybercrime.html, accessed [4 December 2007. 

, J. (2007), "IP-Blacklisting zur Spam-Abwehr kami rcchtswidrig sein", 
; Online, www.lieise.de/uewsiiflcr/ineldHnn/97568. 

K. J. (2007a), "Battling Bots, Doing No Harm", Dark Reading, 
.darkreadiiiq. com/document. tisp'.'doe_id=l 18739. 

K. J. (2007b), "Untying the Bot Knot", Dark Reading, 
.darkreading.com/doctimenl. asp/doc id- I N0ISh'i\V'l'.svl=newsJ_6 

■1 1'rojecl and ke-eard) Alliance ( 2 0 1 ) 7 1 . Know xour eueniv: Fttsl-Flti.\ 
ce Networks, www.ht>iieynet.ort;/piipei-s/fi/. accessed 1 3 December, 

f Lords (2007a), Science ami Jet. hnolo^v Committee. 5tlt Report of 

on 200f> 07, 1'ersonal Internet Security. Volume I: Report, Authority oi' 

louse of Lords, www.pubHcatiaiis.pti rHanient.itk/ptt/ltl/ldsctech.htm. 

f Lords (2007b), Science and Technology Committee, 5th Report of 
on 2006-07, Personal Internet Security, Volume II: Evidence, 
ority of the House of Lords, 
.publications, pa i1iameiit.nk/pi:/ld/ldsctech.hlm. 

in, M. (2006); "Molware goes mobile": St ienlijic American, pp. 70-77, 
.cs.virginia.edu/~rohins/Main-are does Mobile.pdf. accessed 13 
mber 2007. 

esearch. Inc. (2006). "The Trusted Computing {.fro up Mobile 
ideation: Securing Mobile Devices on Con verged Networks", While 
r, September, 

drustedcomputiiii;^rfiHfLoi^/^n-itps/ii!f-l>ile/Final_iGR_mohile_security 
le _paper_sdpr_2O06.pdf, accessed 7 December 2007. 

-rniatiimal Telecommunication.-. Union) l2i!ii7). "Executive Summary". 
(/ Information Society Report 2007: Beyond WSIS, 
.itudnt/osg/spu/pnh!icittions/\vorlcliiiftiniitition.',ot-iety/2007/WISR07- 
uiry.pdf. 

itratcgy & Research (2007), 2007 Identity Fraud Survey Report - 
umer Version How Consumers Can Protect Themselves, 
.ac.viom.com/ \ppFiijj-ul)tnvrd.otitl IH/.lttveliii_10_Tlieli_Ctiii , tiaiier_Repo 
7200734724.pdf accessed 14 December 2007. 



BIBLIOGRAPHY -239 



,y Labs (200ft), Mahvare Evolution 2006: Executive Summary, 
.kaspersky.com/mnlmin' _evoluiion 20O6_summary. 

■ . (2006), "The New Face of Phishing", Washington Post Security Fin 

og. 

'/I>laii.witxliiti«1t>i)i>t>\ l.coni/^cruri!\jl\/2i)U(i/iy2j'll:C_r:C\Yjiiri'_oJ_!>hhlti 

.html. 

■. (2007), "Study: $3.2 Billion Lost to Phishing in 2007", Washington 
Security Fix weblog, 

■Yhli>i>. wi^liiuvtoiipo^i.com/.H''. iiriiv!i.\/20l)7/i JA/id !v_j 2 _hillion_lost_to 

Ji J. html, 

■. (2008), "Banks: Losses Irani Computer Intrusions Up in 2007", 
lington Post Security Fix weblog, 

'/hi i j^.irf/v/ii'ii'.'/cN/.v.s i.coiii/sccii}ii\l'n/2l'iiiS/D2/lhniks_losses_from_com 
■_inl.html. 

ler, H, and G. Heal (2003 ), "InieRlependeni security". Journal of Risk 
Jncerlainly, 26(2): 231. 

, H„ S. Crane and A. Phippen (2006), "Trustguide; Final Report", BT 
p Chief Technology Office, Research & Venturing / HP Labs / 
crsity of Plymouth. Network Research Group, 
.trustguide.org.uk/Trusigiude9c20-%20Final%20Report.pdf 

R„ N, Rifon, S, Liu and D. Lee (2005), "Understanding Online Safety 

vior: A Multivariate Model", International Communication 

dation. New York, www.nisu.edtt/~is/ifety/p<tpers/!CApanelniult2!.htm. 

\. (2006). "Attackers pass on OS, aim for drivers and apps", Security 
s websile. www. scciirilyfocus.com/iiews/! 1404. 

\. (2007), "Estonia <ieis respite from web attacks". Security Focus 
ile, www.securilyfocus.i om/hrief/504. 

V. (2007), "Panel Discussion; Gups and Challenges", presentation at the 
D-APEC Tel Mai ware Worktop by ilie Director of the Information 
Communication Security Technology Center, Chinese Taipei, 
.oecd.Org/dataoec/l/M/l9/3H65M99.pdf, accessed 10 December 2007, 

. Inc. (2006), "Virtual Criminology Report 2007 Organized Crime and 
iteriiet", McAfee Avert® Lahs Technical While Papers, December, 
.nHafee.eo>ii/tts/threat_eenterAvhite_!'itper.htritl. 

tnr (?Orm "IrtrntilvThrfl" MrA t'i'i> A iri'i-frtfl I nht Tprhnirnl White 



-,| V 



ly, C. (2007), "Study: Identity theft keeps climbing", Cnei News, 

Vnews.com.com/Studv+ldenti^+tluft+keeps+climbing/2IOO-l029_3- 

765.html. 

aa, P. (2007), "Survey; Identity theft on the decline", Network World, 
.net\vork\vorld.coui/coiiiiiiiiniiv/'.'ii=nodc/l 101)'/. accessed ] I December 

. A. ( 1 920). Principles of Economics: An Introductory Volume. 
nillan, London. 

iky, Y. (2007), "The Virtual Conflict - Who Will Triumph?", The 
alist,www.viruslist.com/en/analysis?pubid=204791915. 

K. Kent and J. Nusbaum (2005), Guide to Malware Incident 
mtion and Handling. National Institute of Standard^ and Technology. 
Ycsrc.nistgov/publteations/nistpubs/800-83/SP800-83.pdf. 
rig Ami-Abuse Working Group (2007), "Email Metrics Program: The 
■ork Operators' Perspective; Report #5 - First Quarter 2007, June 2007", 
.maawg.org/oboiii/MAAWC20071Q_Metrics_Report.pdf, accessed 10 
mber 2007. 

UK National Infrastructure Security Information Central (2005). 
>eted TrojanEmail Attacks", NISCC Briefing, 08/2005, 
.cpni.gov.uk/docs/Heo.pdf. accessed 7 December 2007. 

Labs (20(1(1 1, McssagcLobs Intelligence: 20116 Annual Security Report - 
ir of Spamming Dangerously: The Personal Approach to Attacking. 
.messagelabs.com/ndiieporl/2006_aniiual_security_report_5.pdf 
;sed 10 December 2007. 

labs ( 2007), Me.ssagel.abs Intelligence: 2007 Annual Security Report - 
ir of storms, spam and socializing, 

.messagelabs.com/rcsouri cs/udircporls. accessed I (I December 2007. 

r, E. and D. Pappalardo (2005). "Extortion via DDoS on the rise: 

inals arc using the attacks to extort money from victimised companies", 

outerworld, 

.t-oiiipttlcrwijrltl.roHt/ncnvorkinglopics/nelv.-orkiiig/sioryft), I OHO 1 .10176 
html, accessed 7 December 2007. 

ft (2005), The Trustworthy Computing Security Development Lifeeycle. 
Vtitsdit2.mil- wsti!t.coni/cn-it\/lihri!r\-/i',:.\ t )'-JS349. aspx. 



BIBLIOGRAPHY -241 



ft (2006b), Security Intelligence Report (July - December 2006), 
.microsoft.com/downloads/details.aspx/fanulyid=afSI6e2S-533f-4970- 
-e35<lc3f2( : >cfe&displaytang=en, accessed 3 December 2007. 

ft (2007), "Storm Drain", Anti-Mai ware r.ngincering Team Weblog, 
'/blogs.technet.catn/inniiintlu-(ac/unlihr/2t>li7/!l'i/2ii/sltinn-drain.aspx. 
Toolbar Community (2007), "Phishing By The Numbers: 609,000 
<cd Sites in 2006", Netcraft website, 

'Mews.netcraft.com/archives/2007/0I/I5/phishing_by_the_numbers_60 
_blocked_sites_in_2006.html, accessed 1 1 December 2007. 

ational Institute of Standards and Technology) (2005), Guide to 
.■are and Incident Handling: Recommendations at the National Institute 
mdards and Technology. Special Publication SOO-83, November, 
'/csrc.itist.goy/publictitians/iiistpiibs/800-83/SP800 83.pdf. 

J08), Computer Security Handling Guide: Recommendations of the 
mat Institute of Standards and Technology, Special Publication 800-6 1 
iion 1, March, http://csrc.nist.gov/pttbiicutions/nisipubs/800-61- 
'SP800-61revI.pdf. 

/, E. (1987), Der qffentliche Sektor: Einfuhrung in die 
nzwissenschaft. Springer, Berlin, 

S. (2007), "Addressing the Mai ware Problem", presentation given at the 
'/www.oecd.org/dataoecd/33/57/38653049.pdf 

2002a), Olil' I) Guidelines for the Security of information Systems and 
orks; Towards a Culture of Security, 
. oecd.org/dataoecd/} 6/22/ 1 5 582260.pdf. 

2002b). "OCCD Guidelines for the Security of Information Systems and 
'orks: Towards a Culture of Security - Questions and Answers", 
.oecd.org/dataoecd/27 76Z2494779.pdf. 

2005a), '"The Promotion of a Culture of Security for Information 
:ms and Networks in OECD Countries", unclassified document of the 
ting Party on Information Security and Privacy, 
I/ICCP/REGi 2005)1 /FINAL, 16 December, 
.oecd.org/dataoecd/] 6/27/3588454 l.pdf. 

2005b), Science, Technology, and Industry Scoreboard. 2005 edition, 
D Publishing, Paris. 



-,| V 



2007a), OECD Communications Outlook 2007. Information and 
munications Technologies, OHCD Publishing, Paris. 

2007b), "APEC-OECD Malware Workshop: Summary Record", 
issificd document of the Working Party on Information Security and 
cy, DSTI/ICCP/REG(2007)15, 15 June, 
. oecd.org/dataoecaVJ 7/60/3 87 3 8890.pdf. 

2007c), 'The Development of Policies for the protection of Critical 
mation (CII): A comparative analysis in four OECD countries: Canada, 
a, the United Kingdom and the United States", unclassified document 
.' Working Party on Information Security and Privacy, 
I/ICCP/REG(2006)15/F1NAL, 6 February, 

.olis.oecd.or : i/iilis/2O0(Hhir.nsf/ENGREFCORPLOOK/NTO0007766/SF 
TT03221273.PDF. 

2008a), 'The Develop men I of Policies lor Ihc protection of Critical 
mation (CII): A comparative analysis in three OECD countries: 
■alia, Japan, and the Netherlands", unclassified document of the 
;mj! Pnnvon Information Security and Privacy, 
l/ICCP/REG(2007)16/FINAL, 9 January, 

.otis.oecd.org/otis/2007doc.nsf/ENGREFCORPEOOK/NT00005A5E/$F 
IT03238526.PDF. 

2008b), "Scoping Paper on Online Identity Theft", unclassified 
mem, DSTI/CP(2007)3/FINAL, 15 May, 

.olis.oecd.org/o Us/200 Jdoc.n sf/F.NC RF.FCOR P 1 .00 K/NT00005CA E/$ 
VJT03240674.PDF. 

2008c), '"The Development of Policies for the Protection of Critical 
mation Infrastructures (CII): A Comparative Analysis in Seven OECD 
ilries: Australia, Canada, Korea, Japan, The Netherlands, The United 
dom and the United States", unclassified document of the Working 
■ on Information Security and Privacy. 
I/ICCP/REG(2007)20/FINAL, 8 April, 

Vwww.olis.oecd.org/olh/2007doc.nsf/ENGREFCORPEOOK/iYIV0005A 
FILEZJT03243745.PDF. 

07), Spamhaus antwortet aufnic.at. futurezonc, 
>/futurezone.orf.al/il/slorh's/20 1 738/ accessed 25 November 2007. 

:om (2007), "Phishini: attack evades ABN Amro's two-factor 
mtication", OUT-LAW News, 18 April, www.out-law.com/page-7967, 
;se.d I I December 71107, 



BIBLIOGRAPHY - 243 



:er, J. C., J. B. Earp and D. L. Baumer (2006), "An experimental 
.miics approach toward quantifying online privacy choices". 
motion Systems Frontiers, 8(5): 363-374. 

Kevin (2003), Slammer worm crushed Ohio nuke plant network, 
rity Focus, www-sectttityft>cus.ct>nt/ni'ws/'i767. accessed 1 1 December 

(2007), "Phishing attack evades hank's two-factor authentication", 

.theregistet.ca.uk/20U7/04/l9/phishing_evades_two- 

t_autlientication/ 

, E. (2004), "is finding security holes a good idea?", Workshop on 
omies and Information Security 2i)()4. www.rtfm.i inii/liu^ratc.jidf. 

., E. T. Quilliam and R. LaRose (2005), " Consumer Perceptions of 
le Safety", paper presented at the International Communication 
ciation, Communication and Technology Division, New York, 27 May, 

, R. and M, P, Gallaher (2006), "Private Sector Cyber Security 

it men t: An Empirical Analysis". Fifth Workshop on the Economics of 

malion Security, Cambridge, March, 

. weis20O6. econinfosec.org/docs/ 1 8.pdf. 

.rsa.com/press_rclcusc. asp\'.'i.d^i502, accessed [4 December 2007, 
■x, S. E. (2004), Computer Security Strength & Risk: A Quantitative 
oach, thesis presented to the Division of Engineering and Applied 
ices, Harvard University, May, 
.eecs.hatvard.edu/~snum/papcrs/thes is.pdf. 

; B. (2000), Secrets and Lies: Digital Security in a Networked World, 
Wiley, New York. 

; B. (2005), "A Real Remedy lor Phishers", Wired News, 
.wired.com/news/politics/Oj '283, 69076,00. html. 

; B. (2007), "Information Security and Externalities'", NSF/OECD 
;shop on Social & Economic Factors Shaping The Future of the 
tet, Washington, DC, www.oecd.org/dataoet d/60/8/ 37985707. pdf. 

F. (2007), "Lose an unencrypted laptop and "lace criminal action'". 



(2007a); "Is Identity Thefl Decreasing?", The Checkout Washington 
Blog, 6 February, 

'/hit i».\Yii-.diii!viniipt>>,i.,f>ii:/iht.-t /,'!'( •koiii/2l>{)7/02/h._i<lcniiiyj!icft_ik'cn> 
•.html 

(2007b), "Looking for a Job? Phishers Are Looking for You,", The 
kout Washington Post Blog, 12 February, 

''/hltiii.wiisliiii^ltiuptKt.ftiiii/lhi', In', koui/2(V)7/02/lookint, jor_a Job __phi 

;, A. (2005), "Avoiding Liability: An Alternative Route to More Secure 
jets". Fourth Workshop on the Economics of Information Security, 
art! University. iiifo\i.'tfiii.iU'i/\yi.irkKliop/pdj/44.pdf. 

W, (2007), "Time to Deploy improvement of 25 %", Mozilla Security 
, http://b!og.mozillti.iom/\eriniiy/2007/06/l8/!ime-lo-deploy- 
ovement- of -2 5 -percent/. 

, D. A. (2007), "Spamhaus.org setzt Osterreichs Domainverwaltung 
Druck", Heise online, www.hi'ist'.th'/newslh ki'i/niclJunt;/9I4l7\ lasl 
;sed 25 November 2007. 

2006a), "The Growing Scale of the Threat Problem", 
.v<);Vl^x^^|■^)/li/^^//J/!^^^/^,^)^vV/; l LJ//.^^/'r^V'(.,^^4l7/; l !,'■^/|y■IV^^n7)/H./v//; 

;sed 7 December, 2007. 

2006b), "Devious Arhiveus ransom ware kidnaps data from victims' 
.sophos.com/presstiffice/iietvs/ai-iii-les/2006/06/iirhivt-iis.html, accessed 



2006c), "Married couple formally charged over spyware Trojan horse", 
.sophos.com/pri'iisiiffu e/iii-i\:w'iinic!i-^/20')(i/IIJ/isr,irlie.\p2.h!iiii. 
;sed 13 December 2007. 

2007a), "Security Threat Report", Sophos Security white paper, 
.sophos.com/seniniyAchih'piipci-^/. last accessed 12 December 2007. 

2007b), "Security Threat Report Update July 2007", Sophos Security 
; paper, www.sopiitis.( t>iii/>c< iirii\-/\vhiiepapcn/, accessed 1 2 December 

. (2007), "Web issues over banking code". The New Zealand Herald, 
.nzherald.co.nz/topic/story.cfm?cjd=l26&objcttid=l0458545. 



Computer Viruses and Other Malicious 
Software 

A THREAT TO THE INTERNET ECONOMY 

The Internet has become a powerful tool for enhancing innovation and productivity. 
Nevertheless, the increasing dependence on the Internet and other communication 

computer viruses and other types ot malicious software (malware). 

Malware attacks are increasing in Doth frequency and sophistication, thus posing a 

right malware are not up to the task of addressing this growing global ihreal. malware 

Providers to end users - all play a rale in combating malware. But there is still limited 

of each of these actors. Improvements can be made in many areas, and international 

guidelines and standards, research and development); improved legal frameworks; 
stronger law enforcement; improved tec- industry pr^tices: ana berer alignment of 
economic incentives with societal benefits. 

This book is a first step toward addressing the threat of malware in a comprehensive, 
growth, evolution and countermeasures to combat it; 2) to present new research into 



suggestions on how the international community can better work together to address 




